ctfwriteup.com
House of NotePwnie Island
Search…
Hack The Box
AD
Windows
Linux
TCM Academy
TCM Windows Privilege Escalation Course
TCM Linux Privilege Escalation Course
TryHackMe - Simple CTF (Easy)
TryHackMe - Vulnversity (Easy)
TryHackMe - CMesS (Medium)
TryHackMe - UltraTech (Medium)
TryHackMe - LazyAdmin (Easy)
TryHackMe - Anonymous (Medium)
TryHackMe - tomghost (Easy)
TryHackMe - ConvertMyVideo (Medium)
TryHackMe - Brainpan 1 (Hard)
Game Hacking
Pwnie Island
Pwn
pwn.college
pwnable.kr
pwnable.tw
ROP Emporium
Jarvis OJ Pwn Xman Series
Crypto
Jarvis OJ Crypto RSA Series
picoCTF
picoCTF 2020 Mini-Competition
picoCTF 2021
picoMini by redpwn
redpwnCTF
redpwnCTF 2021
Powered By GitBook
TryHackMe - UltraTech (Medium)

Summary

Nikto finds robots.txt on port 31331, which leads us to a hidden directory that hosts a login form. Reading the source code of that login page, we find that it is calling APIs hosted on port 8081. The API has command injection vulnerability and we are able to leak user password hashes. A quick lookup on Google reveals that the hashes are just MD5 and we get plaintext passwords easily. At this stage we can SSH in using that credential and get a user shell.
In the privilege escalation phase, we find that the user r00t is in the docker group. A docker escape payload GTFOBins gives us a root shell.

IP

  • RHOST: 10.10.216.127
  • LHOST: 10.13.12.2

Nmap

Nmap

Nikto

Nikto finds /robots.txt:
Nikto
Visit http://ultratech.thm:31331/robots.txt:
robots.txt
Visit http://ultratech.thm:31331/utech_sitemap.txt:
utech_sitemap.txt
In http://ultratech.thm:31331/partners.html, we find a login form:
Login form

User Shell: Command Injection

Reading the source code of this page, we find a file named api.js:
Login page source code
This JavaScript file calls the API hosted on port 8081. Specifically, it calls http://ultratech.thm:8081/ping?ip=<ip>:
api.js
Try command injection:
curl -i 'http://ultratech.thm:8081/ping?ip=`ls`'
It works:
ls
Examine utech.db.sqlite and get two password hashes:
Password hashes
They are:
Username
Password Hash
r00t
f357a0c52799563c7c7b76c1e7543a32
admin
0d0ea5111e3c1def594c1684e3b9be84
Do reverse hash lookup on Google, we have:
Username
Password Hash
r00t
n100906
admin
mrsheafy
SSH in as r00t. Now we have a user shell:
User shell

Privilege Escalation: GTFOBins

The user r00t is in the docker group:
Docker group
Grab the docker escape payload from GTFOBins:
Docker escape payload
Since we are running Bash instead of Alpine, we should modify the payload:
docker run -v /:/mnt --rm -it bash chroot /mnt sh
Now we get a root shell:
root shell
Previous
TryHackMe - CMesS (Medium)
Next
TryHackMe - LazyAdmin (Easy)
Last modified 29d ago
Copy link
Outline
Summary
IP
Nmap
Nikto
User Shell: Command Injection
Privilege Escalation: GTFOBins