UltraTech Writeup

I did the UltraTech room on TryHackMe and want to tell you how I did it.

It’s enumeration time!

I scanned the machine for open ports with nmap.

nmap -p- $IP

  • -p- … scan every port

The I did a service scan on port 8081 (-p 8081) using the -sV flag of nmap. So I got the first answer.
I moved on to the second question. I already had the answer from the nmap scan I did before. An other service scan on port 31331 and there is the solution to question three and four.

There is a typo in the next question, because port 8080 isn’t open. So pretend it is asked for port 8081.

I used gobuster to fuzz the routes.

gobuster dir -u $IP -w $wordlist

  • dir … directory/file fuzzing
  • -u … url
  • -w … wordlist
ps. this is not the whole output ;)

Question 5, check!

Let the fun begin

So, search for the database. When I accessed the webserver, this is what I saw.

A gobuster scan discovers robots.txt, so i took a look at it.


Oh, sitemap.txt? Let’s take a look.

Partners.html seems interesting.


A login panel, yes! Most logins need a database, so it’s the right way.

What happens when we try something around? We get redirected to /auth on port 8081. The hint says, we shouldn’t stay at /auth too long. So I took a look at the second path on port 8081. I messed around with the parameters and it looked like a command injection in the url. So I tried so different methods and ended up with this one:

take a look at the url

Wohoo, the database. I read it with cat and got the hash.

I used crackstation, an online hash cracking tool to crack the hash and used this user:password combo to login the server via ssh.

The root of all evil

Task 4: get root!
I checked for the classics:

  • sudo -l to check if the user can run something as root
  • cat /etc/crontab to look for active crontabs I could exploit
  • find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null this looks complicated, but it only shows you files you can execute as root
  • searching for backups

but I had no luck at all. But when I looked at the groups I am in, I found something:

GTFOBins says the following about docker:

So, I tried this command but I got an error. I did some researching and you have to change “alpine” to bash and there is the root shell!

Just cat /root/.ssh/id_rsa and select the first 9 characters and the challenge is complete!




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium


Vulnhub Monitoring: Walkthrough

4 simple tips to improve your Apache Spark job performance!

Ftdi Driver Mac Os X

Industry Use Case of Jenkins

Git & GitHub { part 2 }

[18/12, 12:26 pm] Sanjay Soni UMT Katangi: Career counselling online free for students करियर…

Launching The Drip Community Info Hub

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Jack-of-All-Trades Writeup

HackTheBox — BountyHunter

Devzat — Hackthebox walkthrough

Network Services — Tryhackme