Apache Flink 1.9.x (Part 1: Set Up)

This is blog is to set up your own lab environment for Apache Flink 1.9.x. There was a vulnerability published recently on exploit db and I used it as a learning tool to practice performing code review with Java.

It took me about 2 hours to find and exploit where my starting hold was just the title ‘File Upload RCE’. To set up the environment it is a quick 5 minute process. I used a Ubuntu VM for the base operating system. Below is the link to the exploit.

Step 1: Download the binary of Apache Flink 1.9.x. In this case I used 1.9.2:

Step 2: Extract the contents and go to the following path.

Step 3: Run the start-cluster.sh file

Fig 1: Run the start-cluster.sh file

Step 4: Use netstat or ps aux to check the application is running

Fig 2: Check it is running
Fig 3: Found it on port 8081

After getting Apache Flink set up, you will need to install the following if you want to perform the code review to find and execute the exploit.

  1. Java Decompiler (JD-GUI)

https://github.com/java-decompiler/jd-gui/releases/download/v1.6.6/jd-gui-1.6.6.jar

2. Java for running the Java Decompiler and also creating your own reverse shell .jar file.

That is all for the set up.

Good luck

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store