Hello everyone, Y0gi here back again with another writeup of TryHackMe .In this writeup I am going to jot down UltraTech room from TryHackMe .If you like my writeup and want more insights follow me on twitter
Machine name : UltraTech
Disclaimer - My IP Address will be different from yours
Link to the room: https://tryhackme.com/room/ultratech1
If your house is made up of UltraTech Cement ; pay regards to UltraTech for 2 mins 😂and start the machine (this ultratech is a compant tho) .Make sure to connect yourself to THM network.
So first thing we’re gonna do is scan the machine for open ports and other things
Scanning & Enumeration
Starting with Nmap,
nmap -sV -sC -O -T4 <ip> -p-
-sC: Scan with default NSE scripts. Considered useful for discovery and safe
-sV: Attempts to determine the version of the service running on port
-O: Stands for Os detection
-T4: Setting Time template to 4
-p-: Scan all the ports
I tried to do anonymous login on port 21 but it wasn’t configured for anonymous login and also there were no exploit or CVE available for this particular version of ftp.
For further enumeration, I moved to Port 8081 to check which kind of web application is running. It was API server. Next I checked webserver running on port 31331 and There I got web application.
Let’s see if robots.txt is there in the web app ,and boom it’s there we get to see a sitemap is lasting there ,now let’s check what is in it
Now let’s see what’s there in partners.html
WOW!! that’s great we get to see a login page ,now let’s try to enter into it
Nothing seems to be working ,before going for bruteforcing I visited the page source once again to recheck things and here we get a js file ,where we get something interesting
Moving into api.js ,we get this
So here the web application calling one api with endpoint as /ping?ip= which looks vulnerable for OS Command Injection.
So BOIS never look down js files ,😋
Now let’s replace the API url with machine ip and port 8081 ,and let’s try pinging to confirm the Command injection vuln
Noice!! we are getting a reply so let’s see if we can run system commands;
For another few mins I went on trying all command injection techniquesi( ; | & ^ etc) i know but nothing worked ,so went googling out for other methods to work
And one method worked ,so the catch is after ip= encode system commands within `` ,it’s not quote ,make sure to notice it
so it will be like ip=
So let’s see what i get
Okkay!! so we are getting a database file utech.db.sqlite
Now navigating to it ;
Perfect it looks like user pass ,but maybe it’s in hash ,so crack the hash for r00t and let’s see
We got password as n100906 after cracking r00t user’s md5 hash. Now let’s login into r00t with SSH using above password.( we got a ssh port if you remember from nmap scan)
So We are in now
Before running any priv esc scripts I do some basic enum manually ,and when I type id ,I find something interesting
So we are running inside a docker container ,the current user is in docker group ;let’s see if we get something from GTFOBins
To get root using docker, run this
docker run -v /:/mnt --rm -it bash chroot /mnt sh ( change the alpine to bash)
VIOLA!! we are in root now
Hope this writeup will be helpful for you, Follow me on twitter for more writeup updates.