✅
TryHackMe - UltraTech (Medium)
Nikto finds
robots.txt on port 31331, which leads us to a hidden directory that hosts a login form. Reading the source code of that login page, we find that it is calling APIs hosted on port 8081. The API has command injection vulnerability and we are able to leak user password hashes. A quick lookup on Google reveals that the hashes are just MD5 and we get plaintext passwords easily. At this stage we can SSH in using that credential and get a user shell.In the privilege escalation phase, we find that the user r00t is in the docker group. A docker escape payload GTFOBins gives us a root shell.
- RHOST: 10.10.216.127
- LHOST: 10.13.12.2
Nmap
Nikto finds
/robots.txt:
Nikto
Visit
http://ultratech.thm:31331/robots.txt:
robots.txt
Visit
http://ultratech.thm:31331/utech_sitemap.txt:
utech_sitemap.txt
In
http://ultratech.thm:31331/partners.html, we find a login form:
Login form
Reading the source code of this page, we find a file named
api.js:
Login page source code
This JavaScript file calls the API hosted on port 8081. Specifically, it calls
http://ultratech.thm:8081/ping?ip=<ip>:
api.js
Try command injection:
curl -i 'http://ultratech.thm:8081/ping?ip=`ls`'
It works:
ls
Examine
utech.db.sqlite and get two password hashes:
Password hashes
They are:
Username | Password Hash |
|---|---|
r00t | f357a0c52799563c7c7b76c1e7543a32 |
admin | 0d0ea5111e3c1def594c1684e3b9be84 |
Do reverse hash lookup on Google, we have:
Username | Password Hash |
|---|---|
r00t | n100906 |
admin | mrsheafy |
SSH in as
r00t. Now we have a user shell:
User shell
The user
r00t is in the docker group:
Docker group
Grab the docker escape payload from GTFOBins:
Docker escape payload
Since we are running Bash instead of Alpine, we should modify the payload:
docker run -v /:/mnt --rm -it bash chroot /mnt sh
Now we get a root shell:
root shell
Last modified 3mo ago