Port enumeration

Using nmap, I found some open ports. 96dca9343cb76bcc457f8604b4be5748.png ssh in 22, http in 8080, 8443, and a ibm db in 6789.

Web enumeration

In port 8443 we can find a UniFi instance. 3a1e1f10698080bf854384e2c83eba2f.png This instance is vulnerable to CVE-2021-44228. 4b55d7c780eb3e10f6165a87f2658fc7.png

LDAP injection

This vulnerability allows me to execute code using a ldap injection. With this instance, Im able to obtain a reverse shell, creating our own LDAP server who will provide the reverse shell and ejecuting the injection. f1f7fd24ee266c5932c28151f5604395.png 73fa76faa64fd7596bcbd7ada1870684.png 90385c4dd7936f529fb270e1dd94ef4b.png 1437bc47735732d3f534806ae2947910.png Using this shell, Im able to read the user flag. af210a914d3ecc3796884f536c64bf02.png

Privilege escalation

Inside the machine, I found a mongodb instance. 79a4c68db8be1e89838a6badacd1e70c.png d1e6c1e84dba4a7fef05d0d6307d595f.png 715a2fba928fe0798e9a0d45d01f75a8.png Here, I was able to found some hashes. 5c4a5bf320493c4f5ce619ad4bd27400.png I cannot crash the hashes, but I can overwrite my own password. 1e22310b6b6d227c862d19d1d08f7969.png 0bf5df9822c0430a806600fcfabbeb85.png With this password, I can access to unifi admin panel. 78db3137aa6c821d88890ea686150aca.png Using this instance, I can log ass root with the saved password in ssh as root. ea5524117b93cb5c46b13d5b6fbcc43b.png c786a72be2d55162454b6492003b71fe.png bd75f69c022efb94f9e041c27915e215.png