Sunday, September 15, 2024

Creating a new user in a locked out Ubiquiti UniFi Controller

 I had a scenario recently where my Ubiquiti Cloud Key was not working properly. I could sign into the Cloud Key itself on the local IP with the default credential of ubnt/ubnt. However I could not sign into the  UniFi controller, which uses an email and password. I did have an email with an account, but the UniFi Controller never sent me a password reset when I clicked on "Forgot my Password". So, I was basically locked out. Thankfully, there is still a way in. I had a Gen 1 Cloud Key (no bluetooth) on version 1.1.19 and the UniFi Controller was on version 7.2.97.


Thankfull the SSH credentials had not been changed. If yours have changed from the default ubnt/ubnt or root/ubnt, root/password,hi then you will need to reset the cloud key. 


Someone out there smarted than me has created a Python Script that can create a new super admin. use Wget to download the file off Github: 


wget https://raw.githubusercontent.com/HostiFi/support-tools/main/lib/unifi/py/create-super-admin.py 



In case this file has been lsot, here is a copy on this article:



import crypt
from datetime import datetime
import os
import string
from random import SystemRandom
import argparse
import pymongo
import random
import logging

parser = argparse.ArgumentParser()
parser.add_argument('-u','--username', help='UniFi username to create', required=True)
parser.add_argument('-p', '--password', help='UniFi password to create')
parser.add_argument('-e', '--email', help='UniFi email to create', required=True)
parser.add_argument('-r', '--read-only', action='store_true', help='If exists, a read-only Super Admin will be created')
args = parser.parse_args()

randchoice = SystemRandom().choice
password = ''.join(random.choice(string.ascii_letters) for i in range(8))

def sha512_crypt(password):
    salt = ''.join([randchoice(string.ascii_letters + string.digits) for _ in range(8)])
    prefix = '$6$'
    return crypt.crypt(password, prefix + salt)

def create_super_admin(password):
    logging.info("Creating UniFi Super Admin")
    logging.info("Connecting to MongoDB...")
    client = pymongo.MongoClient("mongodb://127.0.0.1:27117/ace")
    mdb = client.ace
    logging.info("Inserting Admin...")
    new_admin_id = mdb.admin.insert_one({
        "email" : args.email,
        "last_site_name" : "default",
        "name" : args.username,
        "x_shadow" : sha512_crypt(password),
        "time_created" : int(datetime.utcnow().timestamp()),
    }).inserted_id

    site_filter = {"key": {"$ne": "super"}}
    if args.read_only:
        logging.info("Promoting Admin to Read-Only Admin...")
        role = "readonly"
    else:
        logging.info("Promoting Admin to Super Admin...")
        role = "admin"
        site_filter = {}

    site_ids = [site["_id"] for site in mdb.site.find(site_filter, [])]
    if site_ids:
        mdb.privilege.insert_many(
            {
                "admin_id": str(new_admin_id),
                "site_id": str(site_id),
                "role": role,
                "permissions": [],
            } for site_id in site_ids
        )

    print("UniFi Super Admin created")
    print("Username: " + args.username)
    print("Password: " + password)

if __name__ == "__main__":
    create_super_admin(args.password or password)

This script has some dependencies. You need to make sure Python is installed. If Python3 is not installed, run the following command:


apt-get install python3

Once Python3 is installed, you need PIP, the Python package manager. Run the following command to installed PIP. This will also install wheel and setuptools


python3 get-pip.py




Lastly you will need PyMongo. This will let python interact with the databas that has the usernames of the Ubuquiti users on it. I had trouble using the latest version of PyMongo, and specifically installed version 3.4.0 and the script executed successfully. 

sudo python3 -m pip install pymongo==3.4.0

Finally we have all our dependencies. We can run the create-super-admin.py script. Use the flag -u for username and the flag -p for password, with flag -e for email. 

python3 create-super-admin.py -u username -p password - email@gmail.com




This will sckip the email verification step and you will have a new super admin that you can use to log into the controller with! Hope this helps. 






Thursday, May 16, 2024

Finding a file Hash Natively in Windows with CertUtil

A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable length output. The values returned by a hash function are called hash values, hash codes, hash digests, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

In Windows, we can natively perform a hash check on a file using "CertUtil". CertUtil is actually used for manage certificates, but it also can perform hash checks. We would want to has a file for the purpose of verifiying a file integrity. 

We can use the command certutil -hashfile -? to see a list of all available options. 




CertUtil supports the following hash algorithms:
MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

We can run the command on a file to get a filehash: certutil -hashfile filename SHA256




Once we have the file hash we can compare that against an original to see if changes have occured, or upload the hash to a service like VirusTotal to see if the hash belongs to a file that is malicious.



Thursday, May 2, 2024

How to use XPath to query Windows Event Logs

Windows Event logs under the format EVTX are actually recorded with XML. You can use XPATH to query XML. I deally, you would never need to do this, as you can export Windows Event Logs to a SIEM. However, you may need to query the Event Log Directly, and the bui;t in search is pretty terrible. If you get used to the XPATH Sytanx, you can make it a lot easier to query the Windows Event Log. 

First, Open the Windows Event Log. In our examples, we will be querying the Security Event Log. In the Right panel, press "Filter Current Log..."



Click the XML Tab at the top right, then select at the bottom "Edit Query Manually"




Specific Account logging on:

For whatever reason, The "User" field in the Filter does not actually work post Windows 2003, which is very frustrating. we can actually search for users via XPATH. In this example I am looking for a specific Windows Event IDs 4648 and 4624. 




<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4648 or EventID=4624)] and EventData[Data[@Name="TargetUserName"]="accountname"]]</Select>

  </Query>

</QueryList>


Checking a user login to a specific process:


In this example, we have multiple Sites in IIS that AD users can authenticate to. We want to look at just one of those web apps, as to not have to sift through all the sign ins. The ProcessName field can be filtered down to the name of any process, in this case, IIS. 


<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4648)] and EventData[Data[@Name="TargetUserName"]="bob"] and EventData[Data[@Name="ProcessName"]="C:\inetpub\sites\ecommerce\ecommerceweb\Bank.Web.exe"]]</Select>

  </Query>

</QueryList>




Query for NTLM v1

As part of auditing, you may be looking to eliminate NTLMv1 usage. This can be quieried with XPATH like such:

<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name="LmPackageName"]="NTLM V1"]]</Select>

  </Query>

</QueryList>


Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity 






Sunday, May 10, 2020

Finding the Homepage in the Windows Registry: Cal Poly FAST CTF Challenge 21

Question: What is the exact URL of the start page for Internet Explorer?
Points: 100
Download File from: https://github.com/mfput/CTF-Questions/raw/master/NTUSER.DAT
Hint: no hint
Answer: http://www.virustotal.com/
Note: NTUSER.DAT\Software\Windows\Internet Explorer\Main










Find Chrome Version from Windows Registry: Cal Poly FAST CTF Challenge 20


Question: What is the exact version of Google Chrome installed?
Points: 100
Download File from: https://github.com/mfput/CTF-Questions/raw/master/NTUSER.DAT
Hint: no hint
Answer: 49.0.2623.112
Note: NTUSER.DAT\Software\Google\Chrome\BLBeacon







User Assist Forensics 2: Cal Poly FAST CTF Challenge 19

Question: When was the last date ProcMon.exe was run? FORMAT: YYYY-MM-DD
Points: 200
Download File from: https://github.com/mfput/CTF-Questions/raw/master/NTUSER.DAT
Hint: None
Answer: 2017-04-18
Note: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssit\GUID\Count







User Assist Forensics: Cal Poly FAST CTF Challenge 18

Question: How many times was minesweeper run? FORMAT: ##
Points: 200
Download File from: https://github.com/mfput/CTF-Questions/raw/master/NTUSER.DAT
Hint: None
Answer: 06
Note: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssit\GUID\Count