Modifying a Menu Item on a WordPress theme is not too difficult. The basic steps are
Add Menu Item
Add CSS Class to specific menu item
Customize the new CSS class by using the Additional CSS Options
Add Menu Item
Add or customize a menu item by going to Appearance -> Menu
Add a CSS Class to Menu Item
You can add a CSS class to an existing menu item, or you can create a new menu item.
Create Menu Item
Select Screen Options
Enable CSS Classes. (Needed for the next step)
Under the Menu option, set a CSS class. (Name it something unique so it doesn’t interfere with other CSS classes. We’ll configure the CSS in the next step)
Customize CSS
Now we can setup and customize the CSS class by going to Appearance -> Customize
Now find where the “Additional CSS” setting is. If it is not under the main list, try looking under “Advanced”. The Additional CSS editor page should look like the following.
Once there, add all the CSS you want to change color, padding, etc.
You can make it look like a button by adding things like
Run binwalk with the -e option to extract the binary file
binwalk -e ./WA.v8.7.11.46972.220614.0420.bin
Binwalk should create a _WA.v8.7.11.46972.220614.0420.bin.extracted directory which we should be able to browse. The main “filesystem” is under squashfs-root.
# ls ./_WA.v8.7.11.46972.220614.0420.bin.extracted/squashfs-root
bin dev etc init lib mnt proc run sbin sys tmp usr var
Who is this mcuser on ubiquiti devices? Nothing shows up in the radio config file about it, but the user shows up in /etc/passwd
mcuser is used for AirControl2. If we look what is in the passwd file, we’ll notice that there is a ! at the beginning of the hash. Meaning that this password is disabled as the hash is not a proper hash. It’s only 10 characters long instead of the normal 13 for Unix DES hashes.
There is a valid ssh key, so the mcuser can ssh to the device without a password and do what it needs to do. Doing an ls on a device shows the following.
Refer to the following article on removing AirControl Provisioning
The problem: Linux servers have been configured to send their local syslogs to LibreNMS, but are not showing up under the LibreNMS -> DEVICE -> Logs-> Syslog
After a bit of troubleshooting, found that the issue is the hostname being sent with the logs is different than what LibreNMS has for the device. It appears that some Linux distributions will or can use an abbreviated system hostname. There is a section in the LibreNMS docs about this
Recently ran across some AirGateway configs that had an extra user account on them. Typically on most Ubiquiti AirMax and AirGateway equipment, there are two user accounts that show up in the config.
users.1.* which is the admin user.
users.2.* which is the read only user. Disabled by default
A cool trick we can do is add users in the config i.e. (users.3, users.4 etc.)
So what do you do when you see a third user showing up that you didn’t put there?!
The username was the MAC address of the device and the password field is a DES(Unix) hash of what appears to be an 8 character randomly generated upper and lower case password.
Older AirOS versions only let a user select a password up to 8 characters long. You could create a longer one and log in via SSH, but you wouldn’t be able to log into the web interface.
Identifying Access
So how did these get on here in the first place?
I am guessing that the users were created at some point while trying to adopt them to UNMS/UISP before there was firmware that supported it. The user name is the actual MAC address of the device and the passwords do seem to be randomly generated. There do not appear to be any major differences between the support files from a normal AirGateway and a suspicious AirGateway.
Also appears to only affects AirGateways which were the only devices that had issues in the past connecting to UNMS/UISP. The rest of the AirMax equipment uses very similar firmware so if there was a security issue, it should have affected all the devices.
The hashing type “DES(Unix)” does not appear to be used anymore, being replaced with MD5 Crypt. So this does appear to have happened awhile ago.
the -1?l?u let’s us specify a custom character list made up of -l and -u. Lower and Upper case letters. –session airgateway will record a checkpoint ever so often. So if our run gets interrupted, we can restore the session with
./hashcat.bin --session airgateway --restore
Remediation
Fortunately, remediation is fairly simple.
SSH into the affected device and open up the config file
vi /tmp/system.cfg
Find the lines that start with “users.3.”, delete them, and save the file
Run the following command to save the changes.
/usr/etc/rc.d/rc.softrestart save
If you are not comfortable with the command line, then you can, through the web gui, download a backup, edit the backup file in a text editor, then upload/restore the backup.
Other notes
Something else you may run across is a mcuser that shows up in /etc/passwd. This is typically a user used for AirControl, so if you have used AirControl in the past that is most likely why it is there. Check out the following article to remove the user.
Function expressions can be anonymous. To make the above function anonymous, remove “myFunction”. It would then read “function (num1, num2)”
Typically it is a good idea to name your function expressions as debugging anonymous functions can be a bit more difficult.
A warning about function expressions. They are not hoisted like function declarations. Just be sure that you define the function expression before you call it.
Arrow Function Expressions
Arrow functions are a compact version of function expressions that are always anonymous. They can be a bit tricky to get the syntax correct. Refer to the link below to get a better list of syntax and use. Arrow functions also have some other limitations. They do not have bindings to this, arguments or super.
Anonymous functions are functions that don’t have a name. For instance
function () {
do something
}
Does not have a name and is therefore an anonymous function. Arrow functions are always anonymous.
When would you need to use an anonymous function?
One good example is when you want to call a named function from a timer, or when a button is clicked. For instance
// Find object id myButton
let buttonObject = document.getElementById('myButton')
// Add an event listener, and run Log function when clicked.
buttonObject.addEventListener('click', Log)
// If we call Log(), it will immediately trigger the function
function Log () {
console.log("Hello World!")
}
But what if we want to pass in a variable to the Log function? We can’t run Log('some text') as the function will run before we click the object.
We can however wrap the Log function inside of an anonymous function like so
let buttonObject = document.getElementById('myButton')
// Now Log() function will be run with the variable getting passed.
buttonObject.addEventListener('click', function () {
Log('Hello World!')
})
function Log (textVariable) {
console.log(textVariable)
}
And our Log function gets triggered when the object is clicked, and the variable is passed properly. You can swap out function () with an arrow function () =>
