This machine is inspired from a real life penetration test according to it’s creator.
Scan the target using Nmap and make sure to scan all ports using -p- when you scan it.We find ftp,ssh open, a webserver at 31331 and on visiting 8081 we find that it is running an API,however ftp, anonymous login is not allowed.
Fire up Burp and intercept port 31331 and visit the Site map on burp to find hidden directories or any interesting files.Also make sure to find any hidden directories in both port 8081 and 31331 using dirbuster or dirsearch and we indeed find robots.txt in port 31331
Lets access /utech_sitemap.txt
we find that /partners.html has a login page.Now we could have tried bruteforcing it inface if you visit the website you will see 3 usernames of the team members of ultratech and also a email id, however that is not the intended path.The right path is a bit tricky to find and needs good enumeration.
A bit tricky to understand but if we look at the code carefully, we see a function called getAPIURL which returns ip address:8081 and in the line starting with const req = which seems to perform a ping command on ip:port basically http://ipaddress/ping?ip=ip
lets try pinging ourselves…Note that we are using port 8081 as the API is running on port 8081.whatever we run after ip= will be executed.This is called command injection/execution.Putting localhost ip(127.0.0.1) gives us a output and confirms we can run commands
Lets try to be malicious and run a command after putting the ip 127.0.0.1….Lets use && or | pipe and run ifconfig after performing the ping command.
However it doesn’t work. As shown below we also try to run pwd command after ip= however we fail to do so
We are still not out of luck, there are many ways to bypass command checks and you can refer to this article by hacktricks
Moreover there is a full cheat sheet as well which is amazing-https://github.com/payloadbox/command-injection-payload-list
We see that there are many ways such as using colon (;) , urlencoding. using ‘ ’ and also backticks `` (you can find this above your ESC button on keyboard).What backticks does is that whatever command is there in backticks example: `whoami ` The command will take presidence over all commands meaning it will be run first of all.So lets try it
And Finally it worked.We ran pwd command and it got executed as we can see /home/www/api as our current directory. Now lets run ls and see what files/directories we have.
And we found a database file called ultratech.db.sqlite …..Now Lets read it with the cat command
So it seems like it contains two hashes and we can see usernames as well like Mr00t and Madmin.But first lets crack the hashes with john or hashcat or simply use crackstation.
And we found a username and password.Using these credentials You can try login in to the login page of website or FTP however it seems to work in SSH.We log in to ssh by running ssh r001@targetip and password-n100906 Do note that we have to use r00t not root.
This has a unique way to privlige escalate.We try running sudo -L , look for cronjobs and other stuff however lets run linenum tool on it.The result will give a huge output however if we scroll down to the end, we find that we have docker running as you can see in the image below.It shows we are a member of docker group and could misuse these rights.
You can google- Docker privilege escalation or simply go to GTFO Bins and search Docker.There will be an option called Shell and we will use it’s command as we already have a low level shell in the target. All we have to do is replace alpine with bash and run the same command.
docker run -v /:/mnt --rm -it bash chroot /mnt sh
And we are ROOT!
I hope you learned from this writeup.This machine required good enumeration and the privilege escalation part was very unique.Make sure to follow me here on medium for more such ctf writeps and cybersecurity articles-ZEUS