THM UltraTech : Medium

As soon as I obtained the IP address of the target machine, I initiated an Nmap scan, which yielded the following results.

 To gather more information, I performed an aggressive scan on the open ports. 

While scanning the FTP and SSH services, I attempted multiple default username/password combinations but was unsuccessful. Next, I focused on fuzzing the remaining open ports using the following command: dirb http://ip:port/ bigfuzzingwordlist.txt

This led to the discovery of several pages, one of which was particularly interesting: http://IP:31331/js/api.js. 

 This page contained an API function that was vulnerable to command injection attacks. By executing the following command: http://IP:8081/ping?ip=abc.com;`ls` 

 I successfully demonstrated the ability to execute command line injection. I then attempted another command:  http://IP:8081/ping?ip=abc.com;`cat utech.db.sqlite`

This command returned hashes for r00t and admin account. 

 To retrieve the corresponding passwords, I used Hashcat to crack the hashes, which enabled me to SSH into the server. 

 Upon executing the id command, I discovered that I was a member of the Docker group, which struck me as unusual. To escalate my privileges, I consulted GTFObins and utilized the following command: docker run -v /:/mnt --rm -it bash chroot /mnt sh

This successfully escalated my privileges to root. I then accessed the root user's SSH private key with the following command: cat /root/.ssh/id_rsa