UltraTech by lp1
IP = 10.10.186.15*
Difficulty: Medium
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
- Note: IP address may vary.
Reconnaissance
Scoping and Preparation
- Connect to OpenVPN Server using:
sudo openvpn {PATH_TO_OVPN_FILE}
- I used my tool CTFRecon to automate directory creation, network scanning, web directory brute-forcing and adding entry to
/etc/hosts
file. - To use CTFRecon:
1. git clone https://www.github.com/hambyhacks/CTFrecon
2. cd CTFRecon
3. chmod +x ctfrecon.sh && cp ctfrecon.sh ../
#to move ctfrecon.sh to your working directory.
4. sudo ./ctfrecon.sh [IP] [DIRECTORY NAME] [PLATFORM] [WORDLIST]
#platform refers to hackthebox(htb) or tryhackme(thm). Wordlist is used for GoBuster directory brute-forcing.
Preliminary Enumeration via nmap
Table 1.1: nmap Results Summary
- Based on
nmap
result, we can see that there are web servers on non-standard HTTP/s port (80
&443
). In this case the web servers are on ports8081
and31331
.
- Machine OS: Based on OpenSSH version, machine is Ubuntu Bionic.
Enumeration
FTP Enumeration
- Looking at our
nmap
result, we cannot do anything much about here atFTP
service since it does not allow anonymous login. We also searched exploit-db to look for version exploits but it is not helpful for us because it is a Remote Denial-of-Service exploit.
Manual Web Enumeration
- Since we don’t have webpage at port 80, we navigate to port 8081 which is a web server.
- Based on our nmap scan port
8081
is aNode.js
framework. - Let’s now look on the service on port
31331
which is anapache
web server.
- Looking at the functionality of the webpage, we found another endpoint called
/what.html
.
- This shows some developer’s comments on a production webpage.
- Let’s enumerate more using automated tools.
Note: Manual Enumeration is important.
Web Enumeration using GoBuster
- Using GoBuster, we found some interesting directories.
- Let’s look at the result of
GoBuster
scan on port8081
.
/auth
endpoint requires out login info and we don't have any so we enumerate more.- We can also look on
GoBuster
scan results on port31331
.
- Let’s look at the
/js
directory to see if there is an interesting.js
files in it.
Nice! We found some .js
files. But api.js
looks more interesting than the other two. Let's peek at the contents of api.js
.
- Looks like the
ultratech.thm:8081
is executingping
command with user input on the backend. Let's try to tinker with it later.
Tip: When in doubt, search it in Google.
Exploitation
Steps to reproduce:
- Navigate to
ultratech:8081/ping
and add the parameterip
as seen in theapi.js
file. - Input the payload:
?ip=localhost
3. Command injection works and should output a ping
request to localhost.
4. Input the payload: ?ip=localhost `ls`.
5. It should list the files/directories in the current user.
6. Input the payload: ?ip=localhost `cat utech.db.sqlite`
. It should output the content of utech.db.sqlite
file containing user hashes.
7. Go to CrackStation to see if the hashes are cracked.
- Input the hashes you found on
utech.db.sqlite
file to the input box in CrackStation.
8. Save the credentials in a file.
9. Try logging in the credentials in either SSH
or FTP
. In this case, SSH
is used to login.
Privilege Escalation / Post-Exploitation
Internal Enumeration
Table 1.2: Checklist for Linux Internal Enumeration
Notes: For more information about the commands look here Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).
- Running our checklist, we found that using
whoami && id
we are in adocker
group.
- If a user in a machine is in the
docker
group, it also grants privileges equivalent toroot
user. Check this article explaining the inner workings ofDocker daemon
. - To verify that
docker
is running as root we can type in the terminal: - Syntax:
ps -aux | grep docker
Vertical Privilege Escalation
- We can use GTFOBins to check if we can exploit it to escalate our privileges. To exploit
docker
: - We need to know if there is an image installed in
docker
.To list images indocker
, Type in the terminal:docker ps -a
- To escalate our privileges, type in the terminal:
docker run -v /:/mnt --rm -it {IMAGE_NAME} chroot /mnt sh
- Navigate to /root/ and copy the first 9 characters of
.ssh/id_rsa/
of root user.
STATUS: ROOTED
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Post Exploitation / Maintaining Access
- Copied the /etc/shadow file for user identification and their passwords.
- Added another root user for easy access.
Clearing Tracks
- Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Status: Finished
Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D