TryHackMe - UltraTech (Medium)

PreviousTryHackMe - CMesS (Medium)NextTryHackMe - LazyAdmin (Easy)

Last updated 1 year ago

TryHackMe - UltraTech (Medium)

Summary

Nikto finds robots.txt on port 31331, which leads us to a hidden directory that hosts a login form. Reading the source code of that login page, we find that it is calling APIs hosted on port 8081. The API has command injection vulnerability and we are able to leak user password hashes. A quick lookup on Google reveals that the hashes are just MD5 and we get plaintext passwords easily. At this stage we can SSH in using that credential and get a user shell.

In the privilege escalation phase, we find that the user r00t is in the docker group. A docker escape payload GTFOBins gives us a root shell.

IP

RHOST: 10.10.216.127
LHOST: 10.13.12.2

Nmap

Nikto

Nikto finds /robots.txt:

Visit http://ultratech.thm:31331/robots.txt:

Visit http://ultratech.thm:31331/utech_sitemap.txt:

In http://ultratech.thm:31331/partners.html, we find a login form:

User Shell: Command Injection

Reading the source code of this page, we find a file named api.js:

This JavaScript file calls the API hosted on port 8081. Specifically, it calls http://ultratech.thm:8081/ping?ip=<ip>:

Try command injection:

curl -i 'http://ultratech.thm:8081/ping?ip=`ls`'

It works:

Examine utech.db.sqlite and get two password hashes:

They are:

Username

Password Hash

r00t

f357a0c52799563c7c7b76c1e7543a32

admin

0d0ea5111e3c1def594c1684e3b9be84

Do reverse hash lookup on Google, we have:

Username

Password Hash

r00t

n100906

admin

mrsheafy

SSH in as r00t. Now we have a user shell:

Privilege Escalation: GTFOBins

The user r00t is in the docker group:

Grab the docker escape payload from GTFOBins:

Since we are running Bash instead of Alpine, we should modify the payload:

docker run -v /:/mnt --rm -it bash chroot /mnt sh

Now we get a root shell:

PreviousTryHackMe - CMesS (Medium)NextTryHackMe - LazyAdmin (Easy)

Last updated 1 year ago