TryHackMe ultraTech CTF
The basics of Penetration Testing, Enumeration, Privilege Escalation and WebApp testing
In this our final goal is to get the root shell and find the ssh private key of the root user. This machine is inspired by the real life pentesting.
Room Found Here : https://tryhackme.com/room/ultratech1
Start Your Machine ……..
# [Task 1] : Get the low level access into the machine
Step 1 -> ping the machine to check machine alive or not
Step 2 -> Performing port scanning
#!/bin/bash
masscan -e tun0 $1 -p 1-65535 --rate 5000 > $1_masscan
cat $1_masscan | grep "Discovered open port" | awk {'print $4'} | tr -d /tcp >> $1_masscanP
cat $1_masscanP | while read b || [[ -n $b ]] ;do nmap -A -p"${b}" $1 ;done >> $1_nmap
# u also uncommnet below line
# rm $1_masscan
# rm $1_masscanP
# Usage : ./filaname.sh <ip>This script simply performs a masscan for all 65535 ports and sends the output to nmap for further processing.
We got 3 ports open i.e 21, 8081 and 31331
Let’s give an answer to the questions …..
- Which software is using the port 8081?
Ans :- Node.js
2. Which other non-standard port is used?
Ans :- 31331
3. Which software using this port?
Ans :- Apache
4. Which GNU/Linux distribution seems to be used?
Ans :- Ubuntu
5. The software using the port 8081 is a REST api, how many of its routes are used by the web application?
Ans :- 2
This is simple webpage of the port 8081 and 31331
Performing directory brute-forcing on ports 8081 and 31331 got the /auth directory, but there was nothing interesting in it.
Step 3 -> /robots.txt directory
After performing some basic enumeration, keep in mind that why not check for a /robots.txt or /sitemap.xml directory?
And got this file, i.e., /utech_sitemap.txt.
After navigating to it got 3 directory in in /index.html, /what.html, /partners.html
/index.html and /what.html are not interesting enough, but /partners.html contains a login page.
But what do next? We won’t have a username or a password.
Let’s Start Thinking ………….
Step 4 -> Username and password of normal user
Check the source code and we got this
After navigating to js/api.js this juicy stuff found
It seems like the const url variable gets its value from the getAPIURL() function and the ping ip address {window.location.hostname}.
Then we can ping our localhost with the attackbox IP address.
Boommmm ….. It’s workkk. We tried to see if we could run another command, but we got an error.
It seems like it has a name resolution error, but we have a solution for this, i.e., backstick (``). The command in the above image is: 10.10.199.39:8081/ping?ip=ping id. As a result, when we hit enter, the website returns an error. When we use backticks and type commands between backticks, they are executed by the shell before the main command.
We got a file and used the ls command between the backticks. Just cat this file to see what’s in it.
And here we got username and hash password of it’s. username is r00t and admin. It is a md5 hash let’s crack it.
Let’s give an answer to the questions …..
6. There is a database lying around, what is its filename?
Ans :- utech.db.sqlite
7. What is the first user's password hash?
Ans :- f357a0c52799563c7c7b76c1e7543a32
8. What is the password associated with this hash?
Ans :- n100906
Step 5 -> Get first shell on machine
Try to login with r00t and n100906 using ssh
And we are r00t normal user on the machine.
# [Task 2] Get root user access on to the machine
Step 1 -> Apply techniques to get root shell
After completing all of the techniques, we decided on one thing we wanted to do.
It’s like running Docker on the machine, and this user is part of it.Let’s check on GTFOBins for docker keyword. And we got this ..
Run this command on terminal: docker run -v /:/mnt — rm -it bash chroot /mnt sh
And boooommmmm ….. We are the root user on this machine
Let’s give an answer to the questions ….
9. What are the first 9 characters of the root user's private SSH key?
Ans :- MIIEogIBA
