Bronze II
Bronze IIIHi!
I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).
I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Good luck!.
[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd
Bronze IIThanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).
Have you had any additional success?
Bronze IIIHello,
Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.
I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.
I will keep investigating, I think we are close :).
Bronze IIHi Bluesman I've enumerated the commands that I believe are available in system32 thinking that maybe there was another that would be used to access file contents, but I don't think so...either a 500 error when they don't exist, a proper response, or response hangs, indicating to me that they are waiting for additional arguments.
I have been in touch with support and they provided a parameter query, but it does not work, the entire cmd being passed just keeps being interpreted as the file to find, not a file with arguments. I will keep you posted on my progress.
Silver III think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Looking at the test.jsp source code, does it accept any arguments at all? I've seen in this thread arg1, arg2, arg3, but they had no effect. But does your test.jsp accept arguments?
Bronze IIBluesman, I have been able to get this working with the help of support. Although the lab specifically provides the exploit to use in the payload, it does not appear to be accurate. (Even any additional articles/examples I found from y4er or others do not seem to include this)
The key is that the exploit payload must include the split command to extract the arguments that are comma separated. So {99,109,100})).split(\",\")).start(). This explains why a command like whoami, or some others that don't require arguments work fine, and why the error that we continued to get indicating "cmd,/c,xxxxxx" command not found seemed to be interpreted as the single name of a command.
Once you include this split in the payload, I think you will have luck with just comma separating the arguments discussed earlier. !!Don't forget to URL encode that space in type C:\token.txt!!
I hope that sheds a little light and helps you through this one!
J
