Exploiting Log4j Vulnerability (CVE-2021-44228) - TryHackMe "Solar" Room (by John Hammond)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Another long boring video with very little content.

👍︎︎ 1 👤︎︎ u/Iltlallil 📅︎︎ Dec 16 2021 🗫︎ replies

Captions

in this video we're going to take a look at the log 4j vulnerability and we're going to do that through the try hackme room which john hammond created i was actually going to make a video on one of the advent for cyber challenges which trihat may have been running this month and because i haven't done any videos on try hat me before in fact my first room completed was john hammond's log 4j this came out just about at the right time i did actually try to make a video on it on monday but ran into a couple of issues which i just decided i would leave it a couple of days and come back to it so we'll have a look at that i have already been through the machine uh but let's go through it step by step anyway so just before we jump into the text that we have here we've got a machine that we need to start so we can start a machine here this will run for one hour although we can extend the time and we can either connect to it through vpn or use the attack box which is like a web-based virtual machine that you can access i'm gonna do it through the vpn which will mean that we have to install a couple of libraries and stuff rather than doing it in the web-based vm but i did actually have some problems with the web based vm the other day as well so i'll describe those when we get into them to connect to the vpn i'm going to run vpn and then try hack me because i've already got a bash alias set up which will just make the connection for me oh nearly connected to the wrong one nearly connected to the wrong one again there we go all right so we connect to that let's make sure we get an ip address yep we can see that we've got our ton zero here so this is our ip address for try hack me which means we'll be able to communicate with other devices other machines on the network including this log4j vm that we just booted up so it takes a minute for the ip address to show but let's go and have a look through some of the texts that we have here so we're told here that on december 9th 2021 the new vulnerability was identified log4j or cve 2021-44228 affecting the login package it was given a severity score of 10 which is the most critical and it allows trivial remote code execution on hosts which use the log4j version the attack has been dubbed log for shell you can now use 2.16.0 which will patch the vulnerability so jndi is fully disabled support for message lookups is removed and new denial of service vulnerability is not present so there's a link to that which we can have a look at go and download and patch your systems and then this just tells us that due to how widely used this package is millions of applications are going to be vulnerable and there's going to be a lot of dependencies to it and they've likened the vulnerability to shell shot due to the nature of its enormous attack surface we'll see this vulnerability for years to come there's a list which you can go to here log for attack lov4j attack service which will tell you which services have been identified as vulnerable and which are not or which have been verified there and we also have some articles here we can take a look at here's one i guess probably is by the company that john works for so i'm sure he had a hand in this article as well and he also made a video going through setting up minecraft and exploiting it on minecraft which is where this vulnerability arose from or was just discovered in but obviously it will affect any applications that are used in the log 4j a very good video definitely check that out and then we've got a note from the author please use this to improve security basically don't be malicious etcetera etcetera and bear in mind that developers will love 4j package work on open source projects and so they're basically not to blame there's like two or three employees who work for this unpaid and that's quite often the case when it comes to vulnerabilities like this if you think back to heartbleed which i think had one full-time developer and he pushed a patch at like one minute to midnight on new year's eve or something which had the vulnerability in it so obviously they can get the blame things like this but the end of the day if you have big corporations and large applications which are making use of these open source packages and they're not diverting some of their funds into helping the developers uh you've got a kind of question who's really to blame for that all right so we've been through our first section which was called introduction and we don't need to answer any questions here so just going to hit completed completed oh we got the correct answer awesome and let's go on to the task 2 which is reconnaissance okay so we're told that we've been given this virtual machine and it has the log4j package in it allowing us to explore the vulnerability we've been given the ip address here and we're told to run nmap against a basic nmap scan so i'm just going to take a copy of this and paste this into the terminal this is just a basic map scan running with verbose mode so that anytime a port is discovered it'll come back and give us that port straight away we don't have to wait till the end of the scan to see which ports are open but it's not doing anything else it's not doing service enumeration or running any scripts or anything like that and it actually did it miss a port let me see here okay we only ran the top 1000 ports there so let's run this again and let's say we want to do all ports all 65k ports and we should come back with what looks like it's going to be eight nine eight three as our port then uh let's see what we need to hit complete on here we'll hit complete here and we need to give the name of the software on port 8983 all right so it's still not even found that to be open yet let me let's take a copy of this address and let's do nmap dash sv for services and then ports 8983 paste an address let's just get that moving while we're waiting for this one as well okay so that came back with apache solar so let's take a copy of that as you can see the room name was uh solar as well and we'll submit that we've got a correct answer so let's move on to the next stage of discovery and for discovery we've got some files to download we've got the task files here let me see i don't think i mean w get that so i'm going to open this up and okay let me create a new directory called logs and let's go and paste these in here just so we've got that ready let's go and have a look through some of the text here all right so it's running apache solar 8.11.0 one example of software known to be vulnerable after the sake of showcasing the vulnerability the application runs on java 1.8.0 181 we're told to explore the web interface available at this url so let's go and take a look at that and get a feel around for the application for more details please visit the official website this instance is provisioned with no data whatsoever it's a flat vanilla absolutely minimum installation and yet at its core is still vulnerable to this cve okay so we're going to log in here we're in this dashboard we can see some configuration settings here we can go into login it doesn't look like we can do too much here security core admin java properties where we have some more of our configuration by looks of it and thread dump okay had a quick look around let's go back and see what it's actually asking us for uh take a close look at the first page visible you should see some clear indicators that log4j is in use within the application for login activity what is the dsolar.log directory set to the solar log directory is this one here var solar logs so we'll take a copy of that paste that in here and we've got another question correct download the attach files okay so we've got the files explore each file get a feel for what's in there let's do that first of all then go into logs i'm just going to open up codium with if we just provide a dot here it'll open this up as a directory and then we can just kind of flick through the logs that we have here okay so we've got our request log which is empty we've got a console log i guess starting the application you can see some versioning stuff like that here and then we actually have our logs here so we've got three different logs i don't like how whenever it gives a 0.1.2 we don't get any syntax highlighting but yeah we can go and have a look through the log we can see our various requests which have been logged here path admin params are empty status zero q times zero okay let's go back and see what it's actually asking us for here and so we've had a look around got a feel for what's displayed in the log one file has a significant number of info entries which file includes the the repeated entry all right well what we could just do here is go ctrl and f and then search here we can see that we've got 104 matches on this log we've got 36 matches here we've got 26 we've got 12 we've got 0 and 0. all right so it's obviously this 104 which is our solar dot log so we'll just enter that here submit that and another question correct what is the path or url endpoint is indicated in these repeat entries that was the admin part right path admin oh path admin cause the liner app nearly got me all right we submit that and viewing these log entries what field name indicates some data entry point that as a user you could control so back here we have the params which are currently set as empty that looks like something which a user would be able to control the parameters let's say params and we've got another one correct all right good stuff so that's the discovery out of the way let's move on to proof of concept and we're told here that the url endpoint needs to be prefaced with a solar prefix so let's take a copy of that url and we can visit that and we notice the params seem to be included in the log file you might be beginning to see the attack vector the log4j package adds extra logic by parsing entries ultimately to enrich the data but may additionally take actions and even evaluate code based off the entry data that's the gist of this cve other syntax might in fact be executed just as it is entered into log files some examples of the syntax are and then we've got some example payloads here which we could use to recover some data you may already know the general payload to abuse the log4j vulnerability the format of the usual syntax takes advantage and looks like so so we have this jndi which is the java naming and directory interface and then here we've got an ldap url with an attacker controlled host so in this case we would be able to provide an ldap server that we control and then from there have a secondary payload which would launch as it says here this indicates the target will reach out to an endpoint and attack a control location in this in the case of this attack via the ldap protocol i'm not going to cover all the details here okay i believe there are other protocols that can be used as well for now know that the target will in fact make a connection to the external location or attack a controlled host and you as an attacker in the scenario can host a simple listener just to view the connection and make sure the attack is working so that would be a way to probe this vulnerability and trying to identify whether services are vulnerable you don't need to try and actually exploit them but you could just see if they can make a callback to a http server that you run the next question is where can we enter the syntax anywhere that data is logged by the application this is the crux of the vulnerability unfortunately it is very hard to determine where the attack surface is for different applications and what applications are in fact vulnerable seeing the presence of log4j files doesn't clue in the exact version number or even how the application might use the package think back to the previous task you already discovered you could supply params to the solar admin cores url and now that you have a better understanding of how log4j works you can understand this is where you need to supply your inject syntax you can simply supply the http get variables or parameters which will then be processed and passed by log4j all this takes a single line of text and makes the vulnerability extremely easy to exploit other locations you might supply this jndi syntax could be username passwords forms data entry points or http headers such as the user agent and exported four or any place for user supplied data and then we also have a link to some slides from a black cat presentation from 2016 where this attack vector was presented i did see some uh tweets about you know people kind of saying that this attack vector was known and kind of having to go at the the developers for this at the end of the day most attack vectors are well known and old you know look at sql injection across that scripting every time we see an attack well we do kind of say why is this still happening but at the same time it's not like this was specifically identified in the package in the log4j package in this presentation okay so with that out the way some background on this let's see if we can do some of the practical side of things it's telling not available 9999 or any poi port of your chosen oh we need to complete here as well complete and then we're given a command here with a jndi payload syntax as we can see here so we're going to make a connection out to this service here you can see here it's basically taken in as a parameter whatever malicious payload so the payload is going to go here and that's going to go into the log and then hopefully be executed all right so i'm going to take a copy of this you can see here it's just noted as well using the dollar sign if you use double quotes here you're going to have some problems and if you don't escape that you're going to have some problems as well oh let me keep that open so let's see what's going on in the background okay and let me just end the scan didn't realize that was still running okay you need to go and update some of this so what's our attacker iep address i'm just gonna delete this let's do ifconfig again take a copy of our address we'll paste that in there and then we'll try and make a connection you'll see here we've got a connection back got some funny looking characters i can't actually type anything here we don't it's not like a shell although it if you're used to doing hack the box so well i suppose try hack me as well if you're used to doing kind of uh vulnerable machines where you would be getting reverse shells this is a similar kind of message that you would see but without this stuff after okay what did it ask us for here no answer needed all right good stuff connection received okay also good okay so that's the proof of concept out of the way onto the best part which is exploitation and it says at this point you've verified the target is in fact vulnerable by seeing this connection caught in your netcat listener however it made an ldap request so all your netcat listener may have seen some non-printable characters which were the strange-looking bytes that we saw here and we need we can now build upon this foundation to respond with a real ldap handler we will utilize an open source public utility to stage an ldap referral server and this will be used to essentially redirect the initial request to the victim to another location where you can host a secondary payload that will ultimately run the code on the target so it breaks down like so so we're going to send this as a payload and we have it's going to reach out to our ldap referral server that we're about to set up and we're going to provide the url here and then the ldap referral server is going to act as a springboard to a secondary http server which will have some kind of malicious resource on it and the victim is going to retrieve and execute that resource from us so we need to set up a http server it's given us an example how to do that we can do python 3-m http server we can also do if you have if you're using python 2 it's python 2-m simple http server and then the port number i have an alias set up for this bash alias so i'm just going to do web up and that's just the same as me doing python3-m http.server port 80 and so i'm doing that port 80 instead of port 8000 so if you're doing this yourself and trying to work through it you'll just bear in mind the port might be different you can also do this with the attack box and here's a video to show how to do some of that okay so that's that done what else do we need to tell us to download something else there no okay complete first order of business is to get the marshall sec utility which will allow us to set up an ldap referral server okay so i'm going to open up that link ultimately needs to be run needs to run java i suggest using java 8 you may have success using a different version but to play by the rules we will match the same version of java on the target machine okay so this is the problem i ran into whenever i tried to do this video on monday and uh in trying to set this up it tells us to go and download this java 1.8 let me take copy this let's open up this mirror let's do control and f and this is what it's telling us to download so if i go and do copy link and then wget and let's see how quickly this goes so i started running through this the other day and you can see here eta six hours i think my eta went up to like several days so i instead i opted for trying out the uh what's it called the attack box but with the attack box whenever running another one of these commands down here the maven command it's the clean packages it ran into some problems it just kept hanging on a certain step all right so that didn't work out i figured i would come back and i expected that in a couple of days we would be downloading this java package a lot quicker uh but that's not the case so what i did is i just went and downloaded it from another mirror and i'm going to copy it from my downloads folder so copy downloads we'll copy that here and that's just the exact same file that we were told to download and then we need to go and set this up so i'm just going to copy and paste a few of these lines so we'll just oh we're not going to need to make that directory because that directory already exists so instead we'll just cd into that directory and i'm going to move our desktop try hack me logs jdk and move that here okay i'm gonna okay let me do sudo tar xv xzvf and then that should be fine so we're just basically unpacking this file no that wasn't fine uh without the dot okay because i was trying to move it to begin with all right so that's gonna unpack our jdk in our user lib jvm and then now we need to just basically say that this is what we want to use i'm not gonna do all this manually or type them out one by one so i'm just going to copy and paste that run that and then let's try and do java dash version and just verify that we're using 1.8.0 this 181 which is what we've just downloaded installed i should have really run java version before doing that just to show that i wasn't already using this version but oh well that's done let's uh let's move on to the next step uh we also need the marshall sec okay so let's let's go and download this as well let me go back to desktop and let's w i know let's get clone this tells us here how we can run this and we're basically just to do this as is here but i'm going to go and copy and paste it from try hack me because they've got the full command already set out for us it's telling us how to do this if we're using the attack box here's the steps download this manually if we want to do that we also need to do sudo apt-get install maven so that we're able to build this so let's do that as well and then here is our command to build the marshall set utility so let's go into marshall sec let's run that hopefully we won't run into any errors hit complete on all this stuff and then this is the command that's telling us to run here which is just what we saw here but with everything filled in all the file names and things like that and this is what we're gonna run well let me go back here let's paste this in and let's go and update our addresses so i'm not using port 8000 i'm using port 80 so i don't need to specify ports that's the default http port and let me run ifconfig again because i don't know what the ip is paste that in all right just so we're ready to go and let's go back no let's go back and see is this finished it has finished build success that's what we'd like to see and let's try and run this other command then all right so it's listening so this is basically just set up a listener on our ldap service this is running like a fake ldap server basically whenever it receives a connection it's gonna make a referral to this ip and this exploit file this is the resource that we're interested in but that means we need to go and create the resource as well so let's go and see what the next step is what is the output of this command um listening on submit that okay and now that it's ready and wait in we can open a second terminal prepare our final payload ultimately log4j will execute arbitrary code that you craft with java programming language okay so we're basically going to take this code to make a shell let's open this up in codium exploit.java make sure you get the file name right here i had this with a lowercase e the other day and it needs to match the java needs to match the actual class name that you have inside the file so just bear that in mind zoomed in way too much and let's grab the ip address again i should really just keep ifconfig open take a copy of that let's paste this in here that's fine we can leave the port as it is 99999 that's what we've got our netcat listing on at the moment and yet all this is doing is it's basically same whenever the log4j passes the log it's gonna see uh let me go back to where we actually have this it's going to see a referral to this ldap server which we've got set up the ldap server is going to send it to to our http server with an exploit on it and then the exploit that it's actually going to execute is going to be this exec and it's just going to call netcat to set up a reverse shell basically to connect to the reverse shell that should be everything we need to build this file let me go back down compile your payload with okay let's do that we compile the payload and okay just completed python http server i think we've still got one running but we'll go and check in a second netcat listener i think we've still got one running as well and then this is going to be our exploit run the above command and catch reverse shell okay so onto the actual exploitation i've got way too many windows open here let's see what we've got and close that one let's set up this netcat listener again i'm gonna close down that one close that one all right so we've got a netcat listener waiting for a reverse shell we've got a http server waiting to serve our exploit we've got an ldap server waiting to receive the connection from the victim i'm going to paste in this curl address we need to go and update our ip address which i'm going to take from okay that's a link i'm going to do ifconfig again and yeah let's paste that in here let's try and run it we've got a response from the curl and let's go and have a look here we can see we got a result here redirecting so it's received a connection to the ldap server and it's redirecting to our http server to grab this exploit.class you can see on an http server it tried to grab that and it's actually got file not found okay so did i not compile that properly or something um ah okay notice that the http server is in logs and we have our exploit.class in marshall second i'm going to assume yeah yeah okay so i'm going to run the web server again there let's just do the same thing again run this curl oh where did it go all right i'm gonna copy and paste again copy and paste that let's check this again all right so made the connection to the ldap server it's redirected to our local http server which is now successfully served up the exploit.class with our reverse shell in it and then our netcat listener has received the connection from and then we can basically check and see who am i with solar we can run various commands as we've now got a shell into the system okay so that's great let's see what's next go and hit completed we'll go and hit complete it again well let's have a look a little retreat so it's basically saying at this point now we've got a full shell so you could do anything now you could install cryptocurrency miner you could use some ransomware or you could just use your shell to snoop around and grab some files all this took was a string of text a little bit of a setup which is freely available and obviously this awesome room which was put together for us by john because i probably wouldn't have bothered to set up much of a demo without it uh some troubleshooting information here if you do run into any problems you can go through that and after receiving a reverse shell feel free to experiment okay complete i'm not going to go through much experimentation let's just go through the the room as is wow there's a lot of steps in the spot all right so that's the exploitation done let's have a look at persistence and it tells us now that we've gained a reverse shell we can continue to take any action we might like we're going to grant ourselves better access to explore the machine analyze affected logs and even mitigate the vulnerability you may have noticed that port 22 was open for ssh now we could add private keys or we could add our authorized key so that we can then ssh in or we could change passwords and whenever we run who am i what do we get well that's the first thing that we ran and we found out we were solar it's telling us here if we want to stabilize our shell we can run some of these commands okay so this is very handy uh basically at the moment if we go and try and type something in here and then do well if we do tabs we don't have auto complete and if we try and use like our character keys here it's not going to give us what we want so uh we can we can use this we can import putty pty spawn bin bash you can see that's already looking a bit better but what we also want to do then is do ctrl and z ssty raw dash echo oh stty sorry wondering what went wrong there and then we can do fg and then we can export term equals x term and now we've basically we can run clear and we basically got full commands here we can see we can do autocomplete if i do ls or if i type something i can use my keys and stuff like that all right so we've upgraded our shell uh okay we don't have bash aliases though that's fine uh let's see what else asks us for complete you can check up permissions with sudo l and it's telling us we can run all commands as root okay complete complete as telling us we can ask that h in here i'm not gonna bother to do that unless we really need to because we've already got a decent enough shell uh but you can go through that if you so choose and we're on to task seven which is detection okay so this stage tells us that finding applications vulnerable to this vulnerability is hard detecting exploitation might be even harder considering the unlimited amount of potential bypasses and that being said there are some tools and scripts and stuff like that which have been put together by the security community and we've got a list of some that might help here so you can go and check some of these out i'm going to check each one individually but we've got a listing of some vulnerable jars and class hashes we've got um yeah seems to be mostly what we're dealing with here uh hashes of vulnerable jar files and class files and we've got some yara rules as well and as a reminder we've got a massive resource available here let's have a look which has got some more links to details okay so all that looks good i'm not gonna go through it on the video here but let's move our way through uh the questions that were asked here it says to explore our own logs use ssh connection or our reverse shell to move into a directory where the solar logs are stored you already know what this path is as you gave it as an answer in task 3. okay so presumably i think it was var log which would make sense but if we go there we don't actually let me have a look it might just be invar yep cd solar okay and then cd logs and there we go all right so i'm just going to take a copy of this for solo logs oh no answer needed okay complete review the log file okay let's see what we've got here cats solar dot log zoom out here it's probably not gonna look very pretty for you but it's to get things on one line it looks a bit better you can see here we have our params which are supplied and you can see right here we have our param which has jndi ldap and then ip address and the port 99999 and then just down below that we have another one which has our exploit in it as well okay terminal too small let's continue and see what's next to ask us something note complete if you'd like to experiment more try some of the bypasses in the task below okay so detection complete let's have a look at the bypasses so this the payload we've looked at is the standard and typical syntax if your penetration test for a red team other syntax might be caught by web application firewalls or easily detected if you're a blue teamer or instant responder you should be actively hunting for and detecting that syntax because the attack leverages log4j the payload can ultimately access all of the same expansion substitution and templating tricks that the package makes available this means that a threat actor could use all sorts of tricks to hide mask or obfuscate the payload with that in mind there are honestly an unlimited number of bypasses to sneak in the syntax we're not going to dive into them all but here's some example so various bypasses here i'm sure a lot more will be discovered as time goes on i saw from somebody on twitter that if you send a request to the http server missing out this curly brace at the end that it will return basically everything after in the from the server i haven't really looked into that just saw it on twitter so maybe somebody can let me know a bit more about that or go and go and have a explore notice the rmi protocol using the last one okay so that's what's saying earlier it's not just the ldap server that can be used to serve up the exploit additionally with the log4j engine you can expand arbitrary environment variables if that wasn't already bad enough consider the damage that could be done even with remote code execution but with a simple ldap connection and exfiltration of the aws secret access key for other techniques we strongly recommend you do your own research so significant number okay and then we've got that link again we're told to use this knowledge for good of course and read the above and remind yourself you're a security professional with a strong moral compass all right yeah i love it okay and on to mitigation so now that you've acted as an adversary for a bit please take off your hakka hat and let's mitigate this vulnerability on the vulnerable machine review the mitigation techniques suggested on okay let's go and take a look so we can see we've got some cv reports here so we can see the various cvs which have been registered for apache solar and mitigations any of the following are enough to prevent this vulnerability so we can upgrade if you're using the official docker image you don't need to worry about it you can manually update the version you can edit your solo.in.sh file to include the following and or you can follow any other mitigations listed here all right so yeah plenty of stuff there i'll not go through it all again just as long as you know where to access this stuff and we're told here to determine where is this file the solo.in.sh because that was one of the options there was to manually modify this so we'll locate that and we'll find where it is does it ask us for the path it does submit okay and then it's telling us we can basically go and add this line so i'm going to do vim uh i just copied that instead all right them default solar dot in sh oh this is read only let's quit and let's do sudo i'm just going to insert this randomly here and then we'll save that and there we go that's done save close the file completed and in order to for that to take effect we need to restart the service so we'll do that as well it's running through restarting complete and to validate the patch has taken place start another netcat listener as you've done before spin up your temporary ldap server and the http server again in separate terminals and then basically try to re-exploit the machine and verify that we have indeed fixed it okay so let's do that then let's uh i'm going to close down this terminal i'm going to just restart our http server oh god sudo kill all dash nine python there we go uh okay i'm gonna stop that and start that as well oh god kill it kill it all you can see my um my method of restarting programs is very legit okay that's that done we need to launch our netcast server again nc nlvp9999 and we want to make this same request again and hopefully this time it's not going to work there we go you see we didn't get a hit on our ldap server we didn't get a hit on our http server because our ldap server didn't get a hit and therefore we didn't get a shell so we've actually just patched this vulnerability without patching the version brilliant all right so done done done all right so we've mitigated the vulnerability uh medication done next is patching so the time has created this exercise 8.11.1 has not been released with a formal patch alongside many other software providers the industry is frantically scrambling to patch their software and push it downstream to end users quickly as they can please be understanding of this frenzy there are so many potential places for this log 4j vulnerability could be present and we may never see the end of this vulnerability for a long long time the onus is on you on me and every single one of us raise awareness of this incident and hold the community accountable for actively responding when the time comes roll out the patches that have been made available and continue to hunt for instances of this vulnerability it takes a village and then where appropriate please ensure your patch login log4j package so 2.16.0 or higher and in this new version jndi is fully disabled support for message lookups is removed and the new dos vulnerability is not present download this release here and then we're told to answer the question below i understand implications of this and will patch early often and always complete great so that's the attend task done we've got task 11 credit and authors notes thank you clicking all the way to the end i sincerely hope the you read these parting words okay i better not skip them then this exercise is brought to you with a wholehearted intent that improves your awareness learning understanding of this vulnerability for the right reasons the material presented to you could not be possible without the incredible contributions from security researchers incident responders system administrators and security practitioners all around the industry we owe an incredible thank you to the professionals all working sleepless nights around the clock for going the weekend and fun time with friends and family to better protect the internet while hollywood hacking is cool and flashy cyber security is a team sport please review the external resources and make this community a better place awesome so that's it my first try hack me machine done although i did actually do it already i just came back to record it so all in all a great room i'm glad this could be my first room completed on try hack me and try happy in general i think's a great platform it's very different to hack the box which i'm used to but i do like the kind of mix of questions and theory here you know because at the box really just forces you to go and google things and try and try harder as they say but um this is a great format as well i'll definitely try and check out some more try hack me in the coming months um and yeah great room by john hammond huge respect for all the work he's done around this vulnerability and putting out information and obviously this practical resource for us to play around with the vulnerability uh interested to see if people want me to do more try hack me rooms or do you want me to keep going with hack the box or just general capture the flag stuff let me know in the comments below thanks for watching bye

Info

Channel: CryptoCat

Views: 3,878

Rating: undefined out of 5

Keywords: TryHackMe, THM, log4j, CVE-2021-44228, solr, apache vuln, log4j exploit, deserialization, JNDI, JDNI, LDAP, 44228, Solar, John Hammond, Apache, ethical hacking, bug bounty, cyber-security, pen-testing, penetration test, redteaming, infosec, enumeration, exploitation, hacking, security, cyber, websec, appsec, reverse shell, tutorial, learn, writeup, oscp, oswe, offsec, offensive security, training, filter bypass, shell expansion, capture the flag, CTF, nmap, marshallsec, java, log poison, log4shell, log 4 j, minecraft

Id: PGJVLjgC2e4

Channel Id: undefined

Length: 38min 50sec (2330 seconds)

Published: Wed Dec 15 2021