A Log4Shell Practice Exploitation Range in the Cloud
2022-06-18, 13:00–13:45, Track 1 (UC Conference Rm A)

The Log4Shell vulnerability disturbed more than a few peaceful holiday breaks... Callbacks and shells were popping all over the birdsite, for those of us watching. To play along at home you need some targets though... This talk shows you how to setup those targets in your personal AWS shooting-range in a jiffy (approximately).


This talk will step through the design and implementation of a cloud-based practice range with exploitation targets for the Log4Shell vulnerability. It will begin be describing the Log4Shell vulnerability in a way that is (hopefully) easily understandable at many levels of experience. It will describe the changes required to fully exploit two common software deployment configurations, and walk through automated deployment of that software. The talk will discuss using Terraform and Ansible to configure a network and hosts within Amazon Web Services (AWS). The talk will demonstrate deployment and exploitation of the range.

Electrical Engineer, Computer Scientist, experienced cyber capability developer, Air Force Officer.