Log4j RCE vulnerability is a popular vulnerability that everyone has probably heard of recently. For those wondering how the exploit of this vulnerability works and for those who want to test in a home environment, we will show you how to quickly set up a vulnerable lab for blue team members.
Not much technical details regarding this vulnerability will be shared here, we will only talk about how to set up the lab environment.
NOTE: Lab environment will be shown for Windows operating system and it is recommended to install it in virtual environment.
- Preparing the Vulnerable Environment
- Attack Development
Before we start, if you want to investigate Log4j Incident on SOC environment. You can use training platform LetsDefend
Preparing the Vulnerable Environment
After downloading the requirements, we can start by running the Minecraft Server.
|“C:\Program Files\Java\jdk1.8.0_181\bin\java.exe” -jar paper-1.12.2-1618.jar
After starting the server, we need to set the “online-mode” option to “false” in the “server.properties” file and restart the server again.
We have a Minecraft server waiting to be exploited, now we need to start preparing to exploit the vulnerability. First, we connect to the server (127.0.0.1/localhost) with the Minecraft client.
We are connected to the server, now we need to prepare the malicious code we want to run on the server.
We compile the exploit.java file and convert it into “.class”.
|“C:\Program Files\Java\jdk1.8.0_181\bin\javac.exe” Exploit.java
Then, we are preparing a simple web service so that the Exploit.class file can be accessed remotely.
Finally, we can start our LDAP server and move on to the exploit stage.
|“C:\Program Files\Java\jdk1.8.0_181\bin\java.exe” -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1/#Exploit
Now, we can move on to the remote code execution phase. We can make “calc.exe” run on the server by entering the payload below in the return chat area of the Minecraft client.
We have created a vulnerable Minecraft server in 3 stages and ran code on the server as a player. You can develop various log analysis and intrusion detection methods with this lab environment you have created.