UltraTech

LogoUltraTechTryHackMe

  1. Took the IP 10.201.114.167 and ran a TCP scan. 

    Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-27 04:42 EDT
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 04:43 (0:00:04 remaining)
Nmap scan report for 10.201.114.167
Host is up (0.28s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA)
|   256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA)
|_  256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519)
8081/tcp  open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
31331/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: UltraTech - The best of technology (AI, FinTech, Big Data)
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds

  2. Ports 21,22,8081,31331 were found to be open. Port 8081 was running Express framework in the backend.

  3. I visited the target on port 8081 and found the following web page.

  1. I found nothing here hence I checked port 31331 and found the following website.

  1. Above was the information of the team behind the company. There were full names of the team members along with their aliases. I had came across such instances in CTFs before where owners or people working behind a website listed their aliases online, which were often found to be the usernames on the target system. I saved the information for later.

  2. Also, there was a possibility that the main website on port 31331 was accessing an API that was available on port 8081. I had worked with Express JS recently hence I could tell.

  3. I ran a Gobuster scan on port 8081 and found two endpoints in the API 

    /auth
/ping

  4. I enumerated /auth and turns out the endpoint was used for logging in.

  5. I tried using a GET based request to send some random credentials.

  1. The error Invalid Credentials tells us that format of the request was correct.

  2. I also ran a directory scan on 31331 and found partners.html

  1. I tried logging in here and found that this form was calling the auth api endpoint on port 8081.

  2. I also found a directory named js on 33181 and found the following files inside.

  1. Here api.js had the code for the API as follows

  1. Here I could see the code for the working of the /ping endpoint. I tried it and got the following result.

  1. Maybe I could do something with this. I thought of trying command injection.

  2. After a lot of tries and searching online I was able to use the ` sign to inject shell commands as follows.

  1. Here we have a utech.db.sqlite database on the target system.

  2. I tried listing out the contents of the file but I only got gibberish data. Hence I looked if python was installed on the target.

  1. It was! Hence I started a HTTP server on the target so that I could download the database file on the attacker machine.

  1. I got the file on my system. I viewed the contents in the sqlite file and found the following credentials.

  1. My first instinct was to use crackstation.net to dehash these passwords.

  1. Bingo! We had passwords for two users i.e. admin and r00t . Next step was to gain user access to the target with upgraded shell via SSH.

  1. I logged in as r00t user successfully. Now was the time to gain access to root's SSH key.

  2. I used id and found the following.

The user r00t was a part of the docker group.

  1. I went GTFO bins to look for something related to Docker that I could use to escalate my privileges. https://gtfobins.github.io/gtfobins/docker/

  2. I used the following command.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

  1. But I was getting the following error.

  1. As I hardly had any experience of using docker, I sought the help of ChatGPT and asked as in what the error and the command I used meant.

  2. Turns out, the image alpine that I was trying to use was not available on the system. Hence I used docker images to see which ones were available.

  1. Here the bash image was present, hence I used the bash image in the docker escape command and fortunately got root access to the system.

  1. Next step was to get the private SSH key of the root user.

  2. I moved into the /root/.ssh directory and got the private SSH key in id_rsa. I copied the first 9 characters from the file to get the last flag.

We hacked it!

PreviousMediumNextWonderland

Last updated