TryHackMe: UltraTech by lp1

Photo by Sean Pollock on Unsplash

UltraTech by lp1

IP = 10.10.186.15*
Difficulty: Medium
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux

• Note: IP address may vary.

Reconnaissance

Scoping and Preparation

• Connect to OpenVPN Server using: sudo openvpn {PATH_TO_OVPN_FILE}
• I used my tool CTFRecon to automate directory creation, network scanning, web directory brute-forcing and adding entry to /etc/hosts file.
• To use CTFRecon:

  1. git clone https://www.github.com/hambyhacks/CTFrecon
  2. cd CTFRecon
  3. chmod +x ctfrecon.sh && cp ctfrecon.sh ../ 
  #to move ctfrecon.sh to your working directory.
  4. sudo ./ctfrecon.sh [IP] [DIRECTORY NAME] [PLATFORM] [WORDLIST] 
  #platform refers to hackthebox(htb) or tryhackme(thm). Wordlist is used for GoBuster directory brute-forcing.

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

Nmap Result summary

• Based on nmap result, we can see that there are web servers on non-standard HTTP/s port (80 & 443). In this case the web servers are on ports 8081 and 31331.

Nmap result of Ultratech

• Machine OS: Based on OpenSSH version, machine is Ubuntu Bionic.

Enumeration

FTP Enumeration

• Looking at our nmap result, we cannot do anything much about here at FTP service since it does not allow anonymous login. We also searched exploit-db to look for version exploits but it is not helpful for us because it is a Remote Denial-of-Service exploit.

FTP Remote Denial-of-Service exploit

Manual Web Enumeration

• Since we don’t have webpage at port 80, we navigate to port 8081 which is a web server.

UltraTech API on port 8081.

• Based on our nmap scan port 8081 is a Node.js framework.
• Let’s now look on the service on port 31331 which is an apache web server.

Webpage at port 31331.

• Looking at the functionality of the webpage, we found another endpoint called /what.html.

What.html contents shows unfinished part of webpage.

• This shows some developer’s comments on a production webpage.
• Let’s enumerate more using automated tools.

Note: Manual Enumeration is important.

Web Enumeration using GoBuster

• Using GoBuster, we found some interesting directories.
• Let’s look at the result of GoBuster scan on port 8081.

GoBuster found an endpoint named /auth.

• /auth endpoint requires out login info and we don't have any so we enumerate more.
• We can also look on GoBuster scan results on port 31331.

GoBuster scan result for port 31331.

• Let’s look at the /js directory to see if there is an interesting .js files in it.

api.js found in /js directory.

Nice! We found some .js files. But api.js looks more interesting than the other two. Let's peek at the contents of api.js.

api.js contents

• Looks like the ultratech.thm:8081 is executing ping command with user input on the backend. Let's try to tinker with it later.

Tip: When in doubt, search it in Google.

Exploitation

Steps to reproduce:

1. Navigate to ultratech:8081/ping and add the parameter ip as seen in the api.js file.
2. Input the payload: ?ip=localhost

tested API for command injection.

3. Command injection works and should output a ping request to localhost.

4. Input the payload: ?ip=localhost `ls`.

using ls command shows that there is a file named utech.db.sqlite in the web server.

5. It should list the files/directories in the current user.

6. Input the payload: ?ip=localhost `cat utech.db.sqlite` . It should output the content of utech.db.sqlite file containing user hashes.

utech.db.sqlite contents.

7. Go to CrackStation to see if the hashes are cracked.

• Input the hashes you found on utech.db.sqlite file to the input box in CrackStation.

admin user hash cracked.

r00t user hash cracked.

8. Save the credentials in a file.

9. Try logging in the credentials in either SSH or FTP. In this case, SSH is used to login.

logged in via SSH as r00t user.

Privilege Escalation / Post-Exploitation

Internal Enumeration

Table 1.2: Checklist for Linux Internal Enumeration

Linux Privilege Escalation checklist

Notes: For more information about the commands look here Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

• Running our checklist, we found that using whoami && id we are in a docker group.

r00t user is in docker group.

• If a user in a machine is in the docker group, it also grants privileges equivalent to root user. Check this article explaining the inner workings of Docker daemon.
• To verify that docker is running as root we can type in the terminal:
• Syntax: ps -aux | grep docker

Docker service runing as root.

Vertical Privilege Escalation

• We can use GTFOBins to check if we can exploit it to escalate our privileges. To exploit docker:
• We need to know if there is an image installed in docker.To list images in docker, Type in the terminal: docker ps -a
• To escalate our privileges, type in the terminal:docker run -v /:/mnt --rm -it {IMAGE_NAME} chroot /mnt sh

successfully escalated our privileges and we are now root.

• Navigate to /root/ and copy the first 9 characters of .ssh/id_rsa/ of root user.

get the first 9 characters of SSH private key of root user located in .ssh/id_rsa.

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

• Copied the /etc/shadow file for user identification and their passwords.
• Added another root user for easy access.

Clearing Tracks

• Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D

Socials

• Twitter
• Github