robots.txton port 31331, which leads us to a hidden directory that hosts a login form. Reading the source code of that login page, we find that it is calling APIs hosted on port 8081. The API has command injection vulnerability and we are able to leak user password hashes. A quick lookup on Google reveals that the hashes are just MD5 and we get plaintext passwords easily. At this stage we can SSH in using that credential and get a user shell.
http://ultratech.thm:31331/partners.html, we find a login form:
utech.db.sqliteand get two password hashes:
r00t. Now we have a user shell:
r00tis in the docker group: