Author: AMD
This is a writeup for UltraTech room.
NMAP
With this result we can answer “Which other non-standard port is used?”
Which software is using the port 8081?
Which software using this port?
Which GNU/Linux distribution seems to be used?
The software using the port 8081 is a REST api, how many of its routes are used by the web application?
PREPARATION
“Did you find somewhere you could try to login?” ⇒ Lets find it
Lets try ffuf on 31331
Lets checkout robots.txt
Lets check out utech_sitemap.txt
Lets checkout partners.html
We found the login
There is a database lying around, what is its filename?
Lets catch the login request with burp
The hint says /auth is not alone. When we view the page source we can find out that there is a api.js
If we click on it we can find the other endpoint
Lets use curl
Perfect. Now we can try to run some commands
What is the first user’s password hash?
Lets use cat
What is the password associated with this hash?
Lets use https://crackstation.net/
What are the first 9 characters of the root user’s private SSH key?
Lets ssh r00t
Unfortunately we are not really root. Lets try privilege esclation.
We will focus on pkexec. Lets find vulnerability
Lets set it up
Lets downlaod it to the machine and give execution rights.
Everything is ready, lets run it.
Perfect, we are in. Lets get the key
