UltraTech
October 21, 2020
TASK 2 (1 – 5)
This was pretty straightforward, I just opened up nmap and scanned the given IP. I get some interesting ports that are open, so I can use this information later on when trying to log onto the site since 80 was not open. I’ll also look through the directories of 8081 and 31331 with gobuster. This nmap scan alone is enough to answer task 2 – 4.
Once we have that information, I can try to go to ports 8081 and 31331. Port 8081 didn’t yield much besides an /auth directory so I decided to look into 31331.
I wanted to try to go to some of the interesting directories ASAP so I went to robots.txt and found some site map information, this led me to an admin login page.
Yeah, this is exactly where we want to be.
TASK 3 (1 – 3)
Here is used the login page with burpsuite, the main idea I am trying to do is a command injection with one of the GET requests that aid in a login. While attempting to login in on 31331, you are sent to that port to the 8081 authentications. During that communication, I believe we are able to intercept the request and alter it.
When I sent the request to the repeater I was able to resend various system commands and receive a response from the server. This gave me the answer to task 3.1. (Big help from PayloadAllThings on GitHub.)
Now that’s done, I want to try opening a port within the www-data user, I check to see if python is on the server and host a shell from there.
Sweet, I got some usernames and password hashes. time to use either crackstation or hashcat (I decide to use hashcat for more practice.)
Here I use hashcat and get the following passwords to finish task 3.
TASK 4
The final task for this box is to get the ssh private key for the root user. I’m going to find this in the docker logs.
Great box! I learned some new stuff with burp which is always great. Hope you learned something new!
Last updated
