TryHackMe: UltraTech by lp1

Photo by Sean Pollock on Unsplash

UltraTech by lp1

IP = 10.10.186.15*
Difficulty: Medium
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
  • Note: IP address may vary.

Reconnaissance

Scoping and Preparation

  • Connect to OpenVPN Server using: sudo openvpn {PATH_TO_OVPN_FILE}
  • I used my tool CTFRecon to automate directory creation, network scanning, web directory brute-forcing and adding entry to /etc/hosts file.
  • To use CTFRecon:
  1. git clone https://www.github.com/hambyhacks/CTFrecon
2. cd CTFRecon
3. chmod +x ctfrecon.sh && cp ctfrecon.sh ../
#to move ctfrecon.sh to your working directory.
4. sudo ./ctfrecon.sh [IP] [DIRECTORY NAME] [PLATFORM] [WORDLIST]
#platform refers to hackthebox(htb) or tryhackme(thm). Wordlist is used for GoBuster directory brute-forcing.

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

Nmap Result summary
  • Based on nmap result, we can see that there are web servers on non-standard HTTP/s port (80 & 443). In this case the web servers are on ports 8081 and 31331.
Nmap result of Ultratech

Enumeration

FTP Enumeration

  • Looking at our nmap result, we cannot do anything much about here at FTP service since it does not allow anonymous login. We also searched exploit-db to look for version exploits but it is not helpful for us because it is a Remote Denial-of-Service exploit.
FTP Remote Denial-of-Service exploit

Manual Web Enumeration

  • Since we don’t have webpage at port 80, we navigate to port 8081 which is a web server.
UltraTech API on port 8081.
  • Based on our nmap scan port 8081 is a Node.js framework.
  • Let’s now look on the service on port 31331 which is an apache web server.
Webpage at port 31331.
  • Looking at the functionality of the webpage, we found another endpoint called /what.html.
What.html contents shows unfinished part of webpage.
  • This shows some developer’s comments on a production webpage.
  • Let’s enumerate more using automated tools.

Note: Manual Enumeration is important.

Web Enumeration using GoBuster

  • Using GoBuster, we found some interesting directories.
  • Let’s look at the result of GoBuster scan on port 8081.
GoBuster found an endpoint named /auth.
  • /auth endpoint requires out login info and we don't have any so we enumerate more.
  • We can also look on GoBuster scan results on port 31331.
GoBuster scan result for port 31331.
  • Let’s look at the /js directory to see if there is an interesting .js files in it.
api.js found in /js directory.

Nice! We found some .js files. But api.js looks more interesting than the other two. Let's peek at the contents of api.js.

api.js contents
  • Looks like the ultratech.thm:8081 is executing ping command with user input on the backend. Let's try to tinker with it later.

Tip: When in doubt, search it in Google.

Exploitation

Steps to reproduce:

  1. Navigate to ultratech:8081/ping and add the parameter ip as seen in the api.js file.
  2. Input the payload: ?ip=localhost
tested API for command injection.

3. Command injection works and should output a ping request to localhost.

4. Input the payload: ?ip=localhost `ls`.

using ls command shows that there is a file named utech.db.sqlite in the web server.

5. It should list the files/directories in the current user.

6. Input the payload: ?ip=localhost `cat utech.db.sqlite` . It should output the content of utech.db.sqlite file containing user hashes.

utech.db.sqlite contents.

7. Go to CrackStation to see if the hashes are cracked.

  • Input the hashes you found on utech.db.sqlite file to the input box in CrackStation.
admin user hash cracked.
r00t user hash cracked.

8. Save the credentials in a file.

9. Try logging in the credentials in either SSH or FTP. In this case, SSH is used to login.

logged in via SSH as r00t user.

Privilege Escalation / Post-Exploitation

Internal Enumeration

Table 1.2: Checklist for Linux Internal Enumeration

Linux Privilege Escalation checklist

Notes: For more information about the commands look here Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

  • Running our checklist, we found that using whoami && id we are in a docker group.
r00t user is in docker group.
  • If a user in a machine is in the docker group, it also grants privileges equivalent to root user. Check this article explaining the inner workings of Docker daemon.
  • To verify that docker is running as root we can type in the terminal:
  • Syntax: ps -aux | grep docker
Docker service runing as root.

Vertical Privilege Escalation

  • We can use GTFOBins to check if we can exploit it to escalate our privileges. To exploit docker:
  • We need to know if there is an image installed in docker.To list images in docker, Type in the terminal: docker ps -a
  • To escalate our privileges, type in the terminal:docker run -v /:/mnt --rm -it {IMAGE_NAME} chroot /mnt sh
successfully escalated our privileges and we are now root.
  • Navigate to /root/ and copy the first 9 characters of .ssh/id_rsa/ of root user.
get the first 9 characters of SSH private key of root user located in .ssh/id_rsa.

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

  • Copied the /etc/shadow file for user identification and their passwords.
  • Added another root user for easy access.

Clearing Tracks

  • Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D

Socials

--

--

--

Self-taught cybersecurity learner :D

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My Journey through HPDF and HPDF:Task1

How AWS powersVodafone Foundation’s DreamLab

Share Market Project Using Python , Plotly and Dash Visualization

Integrating Red Hat Process Automation Manager and Red Hat AMQ Streams on OpenShift in 4 steps

Google Anthos vs. AWS: Which Cloud Platform is better?

Google Anthos vs. AWS

How to Develop Your Distributed SQL Statement in Apache ShardingSphere

From Behavioral Analytics to Data Science

My Open Source Story

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
hamby

hamby

Self-taught cybersecurity learner :D

More from Medium

TryHackMe: Mr. Robot CTF Writeup

TryHackMe — Network Fundamentals — Extending Your Network

TryHackMe: AttacktiveDirectory (Walkthrough)

WriteUp — HackTheBox : Backdoor