UltraTech

https://tryhackme.com/room/ultratech1

ULTRATECH WRITEUP

By Jacvbtaylor

       Used openvpn and Kali Linux 
                 https://tryhackme.com/room/ultratech1
         completed Sep 15, 2022

~_. UltraTech ._~

[ Your Mission ]

You have been contracted by UltraTech to pentest their infrastructure.

It is a grey-box kind of assessment, the only information you have is the company's name and their server's IP address.

STEP 1: Answer the questions below

Which software is using the port 8081?

node.js

Which other non-standard port is used?

port 31331

Which software using this port?

Apache

Which GNU/Linux distribution seems to be used?

Ubuntu

The software using the port 8081 is a REST api, how many of its routes are used by the web application? 2

Summary: Using nmap, I discovered an Ubuntu server with an API on port 8081 running node.js. The main webserver is on port 31331 using Apache.

_______________________

STEP 2:

Using scanning as my first step of reconnaissance, I now can move forward with the services I have found.

ssh

ftp

First I tested for a null login for port 21 & 22 ( FTP & SSH). No luck, so I move to the webservices.

Starting with the API, I began an enumeration scan to look for useful directories. While the scan was not finished, it did discover 3 folders I can look at.

auth

The /auth page quickly became a good target. I will have to find a way to log into it.

auth/ping

Next, I want to look at the webpage on port 31331. Looking at the source code, I can see most, if not all, of the files in this directory are going to be .html, so I quickly starting a scan to search for that extension. It would be useful to search .txt files, too, so I started a scan for that as well.

In total, I had these 3 scans now running:

• gobuster dir -u http://10.10.241.189:31331 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

• dirb http://10.10.241.189:31331 -X .html

• dirb http://10.10.241.189:31331 -X .txt

Some important files and directories discovered:

• http://10.10.241.189:31331/robots.txt Allow: * User-Agent: * Sitemap: /utech_sitemap.txt

• http://10.10.241.189:31331/utech_sitemap.txt / /index.html /what.html /partners.html

• http://10.10.241.189:31331/partners.html (private partner login)

• http://10.10.241.189:31331/js /api.js /app.js /app.min.js

• http://10.10.241.189:8081/auth

• http://10.10.241.189:8081/ping

STEP 3:

From reading the api.js file, I could see these 2 main actions occurring

• http://${getAPIURL()}/auth

• http://${getAPIURL()}/ping?ip=${window.location.hostname}

It seemed like this could mean: http.com//10.10.241.189:8081/ping?ip=http.com//10.10.241.189

So I messed with this a bit in the browser and ended up getting the database name after requesting this url: http://10.10.241.189:8081/ping?ip=*

"ping: utech.db.sqlite: Name or service not known"

Hopefully I can use this URL to get more information. I first tried appending commands to the IP such as

10.10.241.189%7Cls (10.10.241.189|ls)

10.10.241.189%3Bls (10.10.241.189;ls)

10.10.241.189%26%26ls (10.10.241.189&&ls)

But I was quickly finding a lot of filtering in place. I couldn't use a lot of symbols to append to the ping command, below are some of the basic ones I tried:

; & && | () [] {} //

After numerous attempts to bypass this filter, I finally found something that worked:

10.10.241.189 `pwd`

cat /etc/passwd

So far I could see I was the www user and I could only see 2 users in the /etc/passwd so far. After sending the ls command through, I could see that utech.db.sqlite was a name of a file, and it was the only one inside my current working directory. I went ahead and concatenated that file and found a possible user/password hash

sql file

STEP 4:

I ran this hash through crackstation.net and it found a matching hash for both of the users. I tried using these credentials to log into SSH but was getting this amazing message "Permission denied, please try again."

What left me confused was the "M" in front of both usernames. I was trying to log in as user Mr00t and mr00t, with no luck. But when I took the "M" out - I was in.

ssh

The last requirement was for me to get the first 9 characters of the root user's private SSH key.

User r00t wasn't allowed to run sudo but I could see that user lp1 had sudo privileges . I needed to find a way to possibly escalate to that user. Using id I saw r00t was part of the docker group.

id

I wasn't sure how to accomplish this quite yet until I came across this webpage: https://flast101.github.io/docker-privesc/

The third option showed a way to get an interactive shell by running the following command:

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

I was excited to try this command but was quickly shutdown with an error:

image

The machine couldn't find the alpine image, and it couldn't pull it. My user could use the docker daemon so I checked which containers were running using docker ps -a

I was shown 3 containers using the bash image. Maybe we can use this instead? You bet we can

docker shell

This shell was a bit of a pain to interact with. You can't tab to complete file names and you can't backspace, so the key here is to type carefully and purposefully

After entering the .ssh directory, we can now see the id_rsa files and we can grab the characters we need.

private key