Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The HP Device Manager uses TCP port 1099 on the internal networks for lots of enterprises. This is the default port for Java Remote Method Invocation (RMI) service registry.

Without the corresponding Java classes, you typically cannot interact with the service. However, several recent tools have made it possible to interface with RMI (BaRMI and rmiscout).

With the remote call, deserialization must take place. So, the first idea was to attack this. Using some Java gadgets, it was possible to

One of the remote calls was called ServGetUser and was used to retrieve HP Device Manager accounts. Using this call, it was possible to steal MD5 hashes of users. Using this, it would be possible to run a dictionary attack or brute force the hashes to the passwords.

Hibernate is a query language that allows for object relational mapping object classes to relational database tables so that developers do not have to write SQL queries by hand. Hibernate Query Language(HQL) is one way to query for this information.

There's this old thing called SQL Injection(SQLi). Although this vulnerability is impactful, it has largely been patched. This application had a query injection in a similar language: HQL Injection (HQLi). After some time planning around with injection queries into HQL, the author had successfully figured out how to smuggle arbitrary queries into HQL that would talk to the installed Postgres database.

By being able to injection arbitrary commands into HQL (hence PostgresDB), the author used a known privilege escalation/RCE technique in PostgresDB in order to become root.

From the HQL injection, it was become to become the root user! Overall, this was a well written article with many rabbit holes being discussed along the way.