Attack Defense: Windows Basic Exploitation #8

Part 8 of our popular attack/defense series on basic windows exploitation.

Attack Defense: Windows Basic Exploitation #8

Hello everyone! I am back with the eighth post on windows basic exploitation using Metasploit. In this, you will learn about exploiting the RMI server and gaining a foothold on the windows server.

RMI server is a java based server for distributed systems. It leverages remote procedure call (RPC) to communicate with different systems. RMI is supplied as part of Sun Microsystem's Java Development Kit (JDK).

The RMI would be vulnerable if the ClassLoader feature is enabled.

The lab is provided by Attack Defense https://attackdefense.com/challengedetails?cid=1952. If you haven't tried this lab, I would recommend you to first give it a shot

So let us begin...

Reconnaissance

On running a Nmap scan against the target IP, I found that port 1099 is serving the RMI server.

Also, I verified this by execution rmi-vuln-classloader Nmap script

The server is indeed vulnerable. Luckily there is a Metasploit module for this

Exploitation

Loading the exploit/multi/misc/java_rmi_server and getting a foothold on the server. You should increase the HTTP delay by at least 60 secs to let the payload execute and start meterpreter shell    

You got your flag!

The images used in this weeks edition were created by photographer and director Brian Cummings. The series looks back at the summer that wasn’t and how we adapted to isolation and the new abnormal.