With CVE-2021-44228 vulerability (Log4Shell) posing a major threat to Java applications hosted on the internet with a CVSS score of 10.0 critical designation. Remote code execution can be accomplished by taking advantage of a Java Naming and Directory Interface (JNDI) within Log4j logging packages. Solar provides a test scenairo for exploitation of vulnerability.
Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.
futher enumerate port 8983
Argument set for
-Dsolr.log.dir set to
Downloaded Task Files
solr.log file we can discover and example of the solr log file that is normally generated.
Proof of Concept
Creating a test scenario
Adding a callback request from target to local attacking machine would allow a local listener to capture any incoming request
Listener setup on port 9999 locally and payload is sent via curl:
successful connection from target system to attacking system can be established by crafted injection to the
setup local LDAP server
craft java reverse shell on attacking machine create an exploit.
compile java exploit code:
Exploit.class file that will be hosted locally and sent to target via the jndi payload.
Establishing a foothold on box as
"/bin/bash" with sudo for a root shell.
changing password of
solr for the ability to ssh into target.