Skip to content

Bonus! Red Log4Jack

The screen to start is very complex, but I'm going to copy paste specific things so they're readable. It generally looked like this:

General look

Confirmed the endpoint http://solrpower.kringlecastle.com:8983/solr/ is running Solr

Confirmed solr

Running the marshalsec marshalling service to exploit:

Marshalsec

Code I'm going to compile which will be marshalled, waiting for java to pick it up an deserialize it, causing a shell to bounce back.

Code to compile

The result:

Result

Triggering the exploit:

Triggering the exploit

JNDI reaches out to my ldap server responder:

JNDI

LDAP server responds with a redirection to my waiting web server to deliver the YuleLogExploit.class file:

LDAP responds

Netcat shell!

Netcat shell

Found in /home/solr, the file kringle.txt

Found in /home/solr

And submitting the answer:

Submitting answer