UltraTech
Hey Guys! This is a write up for the room ultratech on TryHackMe.
UltraTech is a medium level room and to solve this you need to know the basics of Penetration Testing, Enumeration, Privilege Escalation and Webapp testing.
Let’s begin our reconnaissance by scanning ports and services with nmap.
nmap -sC -sV -p- -v -oN nmapall <IP>
# Nmap 7.91 scan initiated Fri Jan 15 13:49:25 2021 as: nmap -sV -sC -p- -v -oN nmapall -T4 10.10.43.96
Warning: 10.10.43.96 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.43.96
Host is up (0.14s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA)
| 256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA)
|_ 256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519)
323/tcp filtered rpki-rtr
8081/tcp open http Node.js Express framework
|_http-cors: HEAD GET POST PUT DELETE PATCH
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
10807/tcp filtered unknown
29682/tcp filtered unknown
31331/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 15C1B7515662078EF4B5C724E2927A96
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: UltraTech - The best of technology (AI, FinTech, Big Data)
36089/tcp filtered unknown
37181/tcp filtered unknown
47442/tcp filtered unknown
54550/tcp filtered unknown
55502/tcp filtered unknown
60451/tcp filtered unknown
63957/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 15 14:02:16 2021 -- 1 IP address (1 host up) scanned in 771.32 secondsWoah, alot of ports are running but most importantly we can see we got 2 different http servers running on 2 different ports.
Next, Let’s do some directory enumeration with dirsearch on port 8081.
Well we got 2 endpoints, lets check what they do.
We got an error and many links to some js files. We will check this later, first we’ll scan the other port 31331.
Oh robotsssss my favorite, lets look into in. Also, we found a js/javascript directory which might be interesting and related to the error we found earlier.
Another link huh? I’m gonna check this sitemap, hope we find something good.
Some more pages for the webapp, but nothing very interesting except the partners.html has a login page.
Anyway, Looking around we found an api file in the js directory. There’s a line with the webpage ping and now we know how to misuse it.😈
The function is using the ping webpage to execute commands on the server by calling ip. Let’s try it.
It Works!!! lets check what we can do with it.
We got a sqlite file. I bet it we can get some credentials in it.
Told ya! we got creds for the user r00t in hash. let’s put this to crackstation and decode it.
Now we have a user and password so we can just login through ssh using them.
We got a shell, now we can try to escalate our privileges. Let’s check the suids and user rights.
Nothing so useful except our user has rights with docker. Checking the GTFO bins for abusing docker.
We got a command to get a shell using docker but we need to check the running images first.
There’s only one image running named bash. Time to attack it.
We got root and we can see the ssh-key in “~/.ssh/id_rsa”.
Here we go! We have successfully compeleted the room UltraTech.
Thank you for reading this walk-through. If you liked it please like and share it with you hacker buddies.
