358 words
2 minutes
UltraTech Writeup - TryHackMe
2023-08-14
TryHackMe
TryHackMe
/
Enumeration
/
PrivEsc

A walkthrough of the TryHackMe UltraTech room — a grey-box style CTF focusing on enumeration, command injection, and Docker escape.

Task 1: Deploy the Machine#

Start this room by hitting the “Deploy” button on the right. Once the machine is deployed, you will be assigned a vulnerable machine IP. It’s a grey-box style assessment — you only have the company’s name and the server’s IP address.

Task 2: It’s Enumeration Time#

We begin with enumeration using Nmap. Below is the command used to scan all ports and detect service versions:

Nmap Commands

Terminal window
sudo nmap -Pn -n -sV -p- <target-ip>

Questions & Answers#

1. Which software is using port 8081? Q1 Ans: Node.js

2. Which other non-standard port is used? Q2 Ans: 31331

3. Which software is using this port? Q3 Ans: Apache

4. Which GNU/Linux distribution seems to be used? Q4 Ans: Ubuntu

5. The software using port 8081 is a REST API. How many of its routes are used by the web application? Q5 Ans: 2

Task 3: Let the Fun Begin#

We check both HTTP ports exposed in our scan.

Port 8081#

Port 8081

Port 31331#

Port 31331

We check robots.txt on port 31331 for any disallowed paths.

robots.txt

Inside partners.html, we find some JavaScript functionality.

partners.html

We test if command injection is possible using ping.

ping

Backticks in JavaScript evaluate commands. Using ls reveals the presence of a SQLite database file.

ls command Filename: utech.db.sqlite

We use cat to read it and extract password hashes.

cat file

Hash cracking reveals user credentials.

hash crack

2. What is the first user’s password hash? Ans: f357a0c52799563c7c7b76c1e7543a32

3. What is the password associated with this hash? Ans: n100906

We now have SSH credentials and access to the machine as r00t.

Task 4: The Root of All Evil#

Once inside, we realize we are within a Docker container and need to escalate privileges to escape it and find the final flag.

docker check

We use a method from GTFOBins to escape Docker and spawn an interactive shell.

GTFOBins docker escape

Finally, we locate the private SSH key of the root user.

id_rsa

What are the first 9 characters of the root user’s private SSH key? Ans: MII******

Conclusion#

This room offers a complete penetration test simulation with:

  • Port & service enumeration
  • Command injection via JavaScript
  • Hash extraction and cracking
  • Docker breakout and privilege escalation

An excellent practical exercise that highlights real-world exploitation scenarios from discovery to post-exploitation.

UltraTech Writeup - TryHackMe
https://blog.hanzalaghayasabbasi.com/posts/ultratech/
Author
Hanzala Ghayas Abbasi
Published at
2023-08-14
License
CC BY-NC-SA 4.0
Understanding CVE-2023-24329 - Python urlparse Function
Sudo Buffer Overflow - TryHackMe
© 2025 Hanzala Ghayas Abbasi. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari