UltraTech — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my UltraTech — TryHackMe — WriteUp. Check it out!
*You will find all the answers needed through this post.
First, deploy the machine and nmap for opened ports.
nmap -A -p- -T5 -v <ip>
There are 2 websites we can visit, 1 on port 31331 and 1 on port 8081.
Look at the hint, he told us not to spend too much time on /auth. So let’s first access the /auth the port 8081.
When I access, it immediately prompted me for credential and I found no where to type. So instead of spending time looking on this url, I will try another way (as the hint said).
Use gobuster to look for hidden dirs and I see that robots.txt is presented.
gobuster dir -u http://<ip>:31331 -w /path-to-wordlist
So let’s see what’s content of robots.txt
It leads us to another location.
Access all 3 html pages, and you will find login page at /partners.html
I’ve tried to use sqlmap to check for SQLi but it seems to be invulnerable. So take a look again at the hint, there’s something about “api”.
Let’s access http://<ip>:31331/js
Click on api.js
There are 2 functions: /ping and /auth. We’ve visit /auth before, so let’s access /ping now.
http://<ip>:8081/ping
Some errors appear. Let’s try to intercept it with Burpsuite.
It’s pinging the machine ip. Let’s send to repeater and try some command injections technique.
First try &&
Not work. What about ;
Still not work! What about url encoded it? First try ||ls with url encoded.
Failed. Now let’s use ` symbol. It is precedence over other characters.
Finally it worked! Now I have the database name: utech.db.sqlite
Now I will use cat to read content of this database, also by command injection.
You can add the following string after the url: `cat+utech.db.sqlite`
So now I have the credential of r00t and admin
*Note that it’s r00t, not root
Copy the passhash: f357a0c52799563c7c7b76c1e7543a32
It’s your #2 answer.
First use hash-identifier to see which type of this hash is.
It’s MD5.
Copy the hash to a filename.txt file and then use john and wordlist rockyou.txt to decrypt that passhash.
john — wordlist=/path-to-rockyou.txt — format=Raw-MD5 filename.txt
john — show — format=Raw-MD5 filename.txt
Now I have the password: n100906
*The password is everything after “:” , because ? is the username, and the username and password is separated by “:” symbol.
Now you have the credential of r00t. Login to /partners.html
Now I have another username, which is lp1. And also I know that the server’s configuration is misconfigured.
Take a look at the nmap result, FTP and SSH is opened. So let’s try FTP.
Success! Try to move around, list file to see anything valuable.
Well not much. So now let’s try SSH using r00t’s credential.
Now we’re in. Let’s try to get root so we can access file in /root folder.
First sudo -l to see if r00t can run sudo
Uh oh, r00t cannot run any command as sudo.
Next use find to search for any command with special SUID set.
find / -perm -u=s 2>/dev/null
Nothing useful. But take a look again at the “id” command.
r00t is in docker group. Which means docker is presented. Take a look at https://gtfobins.github.io/gtfobins/docker/#suid
First let’s see which image is presented using this cmd:
docker image ls
So there is image “bash”.
Reference to this, we can run this cmd to get root:
docker run -v /:/mnt — rm -it bash chroot /mnt sh
Now i’m root!
Now find where the private ssh key is stored, cat it and copy the first 9 characters to answer the final question.
find / -name id_rsa -type f 2>/dev/null
The end.
HAPPY HACKING
