Skip to content

Instantly share code, notes, and snippets.

View Twisted-Code's full-sized avatar

Twisted_Code Twisted-Code

View GitHub Profile

Log4J CVE Advisory

The Problem

Log4J has a feature called Java Naming and Directory Interface (shortened to JNDI in this document), which allows a Java program to reach out to an external source to gather data.
If you put a section of text containing ${jndi:query} into the log, the Log4J library will try to resolve the query.
This can be combined with the Lightweight Directory Access Protocol (LDAP) to connect to a remote server.

However, because JNDI is built for retrieving data, and JNDI is a Java program, if you put a JNDI query using LDAP into a log, it will connect to the given site, download a file, and then execute it.
This is called Remote Code Execution.

@darkhappy
darkhappy / ARG-Field-Offices.md
Last active December 3, 2021 17:32
Toontown Rewritten - Cog Field Offices ARG

Toontown Rewritten - Cog Field Offices ARG

  • Status: Concluded
  • Start date: 2021-11-20
  • End date: 2021-11-29
  • Parts: 4

This is all the information on how to solve the ARG revolving Toontown Rewritten's Field Offices update.

Help solve ARGs!

/*
* robot.js
*
* You'll need three keys in order to unlock the
* Algorithm: the red key, the green key, and the
* blue key. Unfortunately, all three of them are
* behind human-proof barriers.
*
* The plan is simple: reprogram the maintenance
* robots to grab the key and bring it through
/*************
* ambush.js *
*************
*
* Oh. Oh, I see. This wasn't quite part of the plan.
*
* Looks like they won't let you take the Algorithm
* without a fight. You'll need to carefully weave your
* way through the guard drones.
*
/**********************
* fordingTheRiver.js *
**********************
*
* And there's the river. Fortunately, I was prepared for this.
* See the raft on the other side?
*
* Everything is going according to plan.
*/
/*******************
* intoTheWoods.js *
*******************
*
* Ah, you're out of the woods now. Or into the woods, as the
* case may be.
*
* So take a deep breath, relax, and remember what you're here
* for in the first place.
*
/*************
* colors.js *
*************
*
* You're almost at the exit. You just need to get past this
* color lock.
*
* Changing your environment is no longer enough. You must
* learn to change yourself. I've sent you a little something
* that should help with that.
/****************
* drones101.js *
****************
*
* Do you remember, my dear Professor, a certain introductory
* computational rationality class you taught long ago? Assignment
* #2, behavior functions of autonomous agents? I remember that one
* fondly - but attack drones are so much easier to reason about
* when they're not staring you in the face, I would imagine!
/******************
* minesweeper.js *
******************
*
* So much for Asimov's Laws. They're actually trying to kill
* you now. Not to be alarmist, but the floor is littered
* with mines. Rushing for the exit blindly may be unwise.
* I need you alive, after all.
*
* If only there was some way you could track the positions
/*******************
* multiplicity.js *
*******************
*
* Out of one cell and into another. They're not giving you
* very much to work with here, either. Ah, well.
*
* Level filenames can be hints, by the way. Have I
* mentioned that before?
*