Nmap scan report for 10.10.156.70
Host is up (0.048s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA)
| 256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA)
|_ 256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519)
8081/tcp open http Node.js Express framework
|_http-cors: HEAD GET POST PUT DELETE PATCH
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
31331/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: UltraTech - The best of technology (AI, FinTech, Big Data)
No exact OS matches for host (If you know what OS is running on it, see [<https://nmap.org/submit/>](<https://nmap.org/submit/>) ).
So i tried directory busting with the directory_medium list from dirbuster and i find two routes
/auth
/ping
And here /auth asks us to give us an error like Invalid Credentials and tells us to provide username and password as post request as this is a nodejs api and then we go to <ip>:31331 which shows us a website on which if you traverse onto robots.txt we see the sitemap is disallowed and then when we access it we can see the /partners has a login page for us we tried some default credentials and that didnt work that well and we didnt get anywhere lets try looking at the page source and see how the login works .
Here we can see that the /ping directory on the API takes a parameter $ip which pings the IP for us so we can try to use this for remote code execution and try to see the stuff on there he result looks exactly like the ping command in a Linux machine. We can exploit the URL using command injection. There are several ways to perform a command injection and it depends on the filter used on the GET value. For this challenge, the URL only accepts special symbol.We can do ls to see what files are there and we find a utech.db.sqlite file which we can try to cat out with this command execution like this
<ip>:8081/ping?ip=`cat utech.db.sqlit`
and here then we get some SQL data which looks like hashes
We can see that the hash for the user r00t is the one thats with tf357a..... one and we can crack this to maybe get like ssh credentials or ftp so lets crack this you can use hashcat i just went over to crackstation and cracked it there and then i tried logging into SSH with the username r00t and the password we jsut recieved and it worked .
Now to do further priv esc enumeration i tried sudo -l but it says we cant run the sudo command so i tried to find SUID bits didnt get anything intresting there so i transfered my linpeas.sh file to the server and ran that and found this intresting thing which is that docker is running as GUID for root
[+] My user
[i] <https://book.hacktricks.xyz/linux-unix/privilege-escalation#groups>
uid=1001(r00t) gid=1001(r00t) groups=1001(r00t),116(docker)
We can use that to gain privesc lets look at gtfobins and see what we can get and when we search docker we see that we can run the command
docker run -v /:/mnt --rm -it bash chroot /mnt sh
and get a root shell it might not be the most fluid shell but hey it works and with that can just go over to the /root directory and do ls -la and find .ssh folder inside which we have the id_rsa file.