TryHackMe: UltraTech by lp1

UltraTech by lp1

IP =*
Difficulty: Medium
Machine OS: Linux
Learning Platform:
Finished on: Arch Linux
  • Note: IP address may vary.


Scoping and Preparation

  • Connect to OpenVPN Server using: sudo openvpn {PATH_TO_OVPN_FILE}
  • I used my tool CTFRecon to automate directory creation, network scanning, web directory brute-forcing and adding entry to /etc/hosts file.
  • To use CTFRecon:
  1. git clone
2. cd CTFRecon
3. chmod +x && cp ../
#to move to your working directory.
#platform refers to hackthebox(htb) or tryhackme(thm). Wordlist is used for GoBuster directory brute-forcing.

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

  • Based on nmap result, we can see that there are web servers on non-standard HTTP/s port (80 & 443). In this case the web servers are on ports 8081 and 31331.


FTP Enumeration

  • Looking at our nmap result, we cannot do anything much about here at FTP service since it does not allow anonymous login. We also searched exploit-db to look for version exploits but it is not helpful for us because it is a Remote Denial-of-Service exploit.

Manual Web Enumeration

  • Since we don’t have webpage at port 80, we navigate to port 8081 which is a web server.
  • Based on our nmap scan port 8081 is a Node.js framework.
  • Let’s now look on the service on port 31331 which is an apache web server.
  • Looking at the functionality of the webpage, we found another endpoint called /what.html.
  • This shows some developer’s comments on a production webpage.
  • Let’s enumerate more using automated tools.

Note: Manual Enumeration is important.

Web Enumeration using GoBuster

  • Using GoBuster, we found some interesting directories.
  • Let’s look at the result of GoBuster scan on port 8081.
  • /auth endpoint requires out login info and we don't have any so we enumerate more.
  • We can also look on GoBuster scan results on port 31331.
  • Let’s look at the /js directory to see if there is an interesting .js files in it.

Nice! We found some .js files. But api.js looks more interesting than the other two. Let's peek at the contents of api.js.

  • Looks like the ultratech.thm:8081 is executing ping command with user input on the backend. Let's try to tinker with it later.

Tip: When in doubt, search it in Google.


Steps to reproduce:

  1. Navigate to ultratech:8081/ping and add the parameter ip as seen in the api.js file.
  2. Input the payload: ?ip=localhost

3. Command injection works and should output a ping request to localhost.

4. Input the payload: ?ip=localhost `ls`.

5. It should list the files/directories in the current user.

6. Input the payload: ?ip=localhost `cat utech.db.sqlite` . It should output the content of utech.db.sqlite file containing user hashes.

7. Go to CrackStation to see if the hashes are cracked.

  • Input the hashes you found on utech.db.sqlite file to the input box in CrackStation.

8. Save the credentials in a file.

9. Try logging in the credentials in either SSH or FTP. In this case, SSH is used to login.

Privilege Escalation / Post-Exploitation

Internal Enumeration

Table 1.2: Checklist for Linux Internal Enumeration

Notes: For more information about the commands look here Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

  • Running our checklist, we found that using whoami && id we are in a docker group.
  • If a user in a machine is in the docker group, it also grants privileges equivalent to root user. Check this article explaining the inner workings of Docker daemon.
  • To verify that docker is running as root we can type in the terminal:
  • Syntax: ps -aux | grep docker

Vertical Privilege Escalation

  • We can use GTFOBins to check if we can exploit it to escalate our privileges. To exploit docker:
  • We need to know if there is an image installed in docker.To list images in docker, Type in the terminal: docker ps -a
  • To escalate our privileges, type in the terminal:docker run -v /:/mnt --rm -it {IMAGE_NAME} chroot /mnt sh
  • Navigate to /root/ and copy the first 9 characters of .ssh/id_rsa/ of root user.


The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

  • Copied the /etc/shadow file for user identification and their passwords.
  • Added another root user for easy access.

Clearing Tracks

  • Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store