# UltraTech ## ULTRATECH WRITEUP *By Jacvbtaylor* ``` Used openvpn and Kali Linux https://tryhackme.com/room/ultratech1 completed Sep 15, 2022 ``` ### **\~\_. UltraTech .\_\~** **\[ Your Mission ]** *You have been contracted by* \ *UltraTech to pentest their infrastructure.* *It is a grey-box kind of assessment,* \ *the only information you have is*\ *the company's name and their server's IP address.* ### STEP 1: Answer the questions below *Which software is using the port 8081?*

node.js

*Which other non-standard port is used?*

port 31331

*Which software using this port?*

Apache

*Which GNU/Linux distribution seems to be used?* Ubuntu *The software using the port 8081 is a REST api, how many of its routes are used by the web application?*\ 2 **Summary:** \ Using nmap, I discovered an Ubuntu server with an API on port 8081 running node.js. The main webserver is on port 31331 using Apache. \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ ### STEP 2: Using scanning as my first step of reconnaissance, I now can move forward with the services I have found.

ssh

ftp

First I tested for a null login for port 21 & 22 ( FTP & SSH). No luck, so I move to the webservices. Starting with the API, I began an enumeration scan to look for useful directories. While the scan was not finished, it did discover 3 folders I can look at.

auth

The /auth page quickly became a good target. I will have to find a way to log into it.

auth/ping

Next, I want to look at the webpage on port 31331. Looking at the source code, I can see most, if not all, of the files in this directory are going to be .html, so I quickly starting a scan to search for that extension. It would be useful to search .txt files, too, so I started a scan for that as well. In total, I had these 3 scans now running: * `gobuster dir -u http://10.10.241.189:31331 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt` * `dirb http://10.10.241.189:31331 -X .html` * `dirb http://10.10.241.189:31331 -X .txt` Some important files and directories discovered: * \ `Allow:`\ `* User-Agent:` \ `* Sitemap: /utech_sitemap.txt` * `/` \ `/index.html` \ `/what.html` \ `/partners.html` * **(private partner login)** * \ /`api.js` \ `/app.js` \ `/app.min.js` * ; * ### STEP 3: From reading the api.js file, I could see these 2 main actions occurring * `http://${getAPIURL()}/auth` * `http://${getAPIURL()}/ping?ip=${window.location.hostname}` It seemed like this could mean: `http.com//10.10.241.189:8081/ping?ip=http.com//10.10.241.189` So I messed with this a bit in the browser and ended up getting the database name after requesting this url: `http://10.10.241.189:8081/ping?ip=*` *"ping: utech.db.sqlite: Name or service not known"* Hopefully I can use this URL to get more information. I first tried appending commands to the IP such as `10.10.241.189%7Cls` (10.10.241.189|ls) `10.10.241.189%3Bls` (10.10.241.189;ls) `10.10.241.189%26%26ls` (10.10.241.189&\&ls) But I was quickly finding a lot of filtering in place. I couldn't use a lot of symbols to append to the ping command, below are some of the basic ones I tried: `; & && | () [] {} //` After numerous attempts to bypass this filter, I finally found something that worked: `` 10.10.241.189 `pwd` ``

cat /etc/passwd

So far I could see I was the www user and I could only see 2 users in the /etc/passwd so far. After sending the `ls` command through, I could see that *utech.db.sqlite* was a name of a file, and it was the only one inside my current working directory. I went ahead and concatenated that file and found a possible user/password hash

sql file

### STEP 4: I ran this hash through crackstation.net and it found a matching hash for both of the users. I tried using these credentials to log into SSH but was getting this amazing message \ \ *"Permission denied,* \ *please try again."* What left me confused was the "M" in front of both usernames. I was trying to log in as user Mr00t and mr00t, with no luck. But when I took the "M" out - I was in.

ssh

The last requirement was for me to get the first 9 characters of the root user's private SSH key. User r00t wasn't allowed to run sudo but I could see that user lp1 had sudo privileges . I needed to find a way to possibly escalate to that user. Using `id` I saw r00t was part of the docker group.

id

I wasn't sure how to accomplish this quite yet until I came across this webpage: The third option showed a way to get an interactive shell by running the following command: **`docker run -v /:/mnt --rm -it alpine chroot /mnt sh`** I was excited to try this command but was quickly shutdown with an error:

image

The machine couldn't find the alpine image, and it couldn't pull it. My user could use the docker daemon so I checked which containers were running using `docker ps -a` I was shown 3 containers using the bash image. Maybe we can use this instead? You bet we can

docker shell

This shell was a bit of a pain to interact with. You can't tab to complete file names and you can't backspace, so the key here is to type carefully and purposefully After entering the .ssh directory, we can now see the id\_rsa files and we can grab the characters we need.

private key