Holiday Hack 2021: Log4j

• Holiday Hack 2021
• 1) KringleCon Orientation
• 2) Where in the World is Caramel Santaigo?
• 3) Thaw Frost Tower's Entrace
• 4) Slot Machine Investigation
• 5) Strange USB Device
• 6) Shellcode Primer
• 7) Printer Exploitation
• 8) Kerberoasting on an Open Fire
• 9) Splunk!
• 10) Now Hiring!
• 11) Customer Complaint Analysis
• 12) Frost Tower Website Checkup
• 13) FPGA Programming
• Appendix A: Log4j Terminals

Overview

The Log4j / Log4shell vulnerability broke just as Holiday Hack was coming on line, and Counterhack didn’t want to wait 360 days to showcase it. They added two Cranberry Pi terminals to show both the Blue and Red side of Log4j exploitation right at the North Pole entrance.

Terminal - Bonus Blue Log4Jack

Challenge

Bow Nincandle is late to KringleCon, but ready to talk about Log4Jack:

Well hello! I’m Bow Ninecandle!

Sorry I’m late to KringleCon; I got delayed by this other… thing.

Say, would you be interested in taking a look? We’re trying to defend the North Pole systems from the Yule Log4Jack vulnerability.

This terminal has everything you need to get going, and it’ll walk you through the process.

Go ahead and give it a try! No previous experience with Log4j required.

We’ll even supply a checker script in the terminal for vulnerable libraries that you could use in your own environment.

The talk Prof. Petabyte is giving will be helpful too!

Oh, and don’t worry if this doesn’t show up in your badge. This is just a fun extra!

Bow provides three hints as well:

• Software by the Apache Foundation runs on devices all over the internet
• Josh Wright’s simple checker script uses the power of regex to find vulnerable Log4j libraries!
• Prof. Qwerty Petabyte is giving a lesson about Apache Log4j.

Solution

This is another terminal that’s more of a walkthrough than a challenge. I’ll solve it here with commentary:

Terminal - Bonus Red Log4Jack

Challenge

Icky McGoop is also ready to talk Log4Jack:

Hey, I’m Icky McGoop.

Late? What’s it to you? I got here when I got here.

So anyways, I thought you might be interested in this Yule Log4Jack. It’s all the rage lately.

Yule Log4Jack is in a ton of software - helps our big guy keep track of things.

It’s kind of like salt. It’s in WAY more things than you normally think about.

In fact, a vulnerable Solr instance is running in an internal North Pole system, accessible in this terminal.

Anyways, why don’t you see if you can get to the yule.log file in this system?

Icky also provides two hints:

• Join Bishop Fox for a discussion of the issues involved.
• Josh Wright’s help document for the Red challenge.

Solution

Much like the blue exercise, this is more of a walkthrough to solve based on the gist. I’ll show it here:

« 13) FPGA Programming