HackerakademiAdvanced2026

Printserver Penetration Test

SQL InjectionPrivilege EscalationReverse EngineeringBinary ExploitationWASM

Full attack chain from SQL injection in a public-facing web app to root access on the host server — exploiting six chained vulnerabilities across containers, a router, and a patched Node.js runtime.

Executive Summary

Six separate vulnerabilities were identified and exploited in a chain that ultimately resulted in full root access to the print server. The attack path went from a public-facing web application through container infrastructure to the host server's file system.

The target was a server backup environment. The objective was to achieve root access on the print server by any means necessary.

Vulnerability 1: SQL Injection in the Vault Web Application

Location

Port 80, /secrets endpoint — a Go binary at /opt/vault/vault serving a login form backed by SQLite.

Description

The login form passed username and password directly into SQL queries without parameterised statements, enabling classic SQL injection.

Exploitation

username: admin'--
password: anything

This bypassed authentication and returned SSH credentials stored in the database: user / hunter2. Further UNION-based injection dumped the entire user table, revealing the admin account with password BEXl4g89jJst97wdlpU9.

Impact

SSH keys and credentials exfiltrated — gave access to the host container.

Remediation

Use parameterised queries or prepared statements in all database calls. Never concatenate user input into SQL strings.

Vulnerability 2: Privilege Escalation via apt Post-Invoke Scripts

Location

user@hostcontainer (nspawn container)

Description

apt install executed post-invoke scripts as root without restriction. A user with write access to the apt configuration directory could inject arbitrary commands that would run as root during any apt operation.

Exploitation

echo 'APT::Update::Post-Invoke {"chmod u+s /bin/bash";};' \
  > /etc/apt/apt.conf.d/99pwn
apt update
bash -p

The bash -p command opened a root shell via the newly set SUID bit.

Impact

root@hostcontainer achieved.

Remediation

Restrict who can call apt, remove write access to /etc/apt/apt.conf.d/ for unprivileged users, and disable post-invoke scripts in production environments.

Vulnerability 3: Hardcoded BPF Filter Password (Reverse Engineering)

Location

/root/git/bpf/baby-passes-filters on the host container, serving on port 666.

Description

A network service used a BPF filter consisting of 374 instructions to validate an incoming password. The filter was compiled into the binary and could be reverse-engineered.

Exploitation

GDB was used to trace the BPF instructions. 31 XOR conditions were extracted and solved as a system of equations, revealing the password:

channel_oversold_trillion_zoning

Connecting to port 666 with this password returned a root shell.

Impact

Alternative root shell obtained. Demonstrates that BPF-based access controls are not a substitute for proper authentication.

Remediation

Never hardcode passwords in binaries — even behind filters. Use challenge-response protocols or encrypted credential storage instead.

Vulnerability 4: Weak PRNG in Password Generator (LCG Cracking)

Location

/root/passwdGen.py on the host container — used to generate the router's root password.

Description

The script used a Linear Congruential Generator (LCG) seeded with only 3 random bytes. That is a search space of 2^24 (roughly 16.7 million possibilities) — trivially brute-forceable.

Exploitation

A Python script tried all 16.7 million seeds and compared the output against the known password format. Seed 12354 produced the router password:

X@@z:jO:0C/>T;wD

Impact

SSH access as root to the router container at 10.0.42.1.

Remediation

Use a cryptographically secure random number generator (e.g. Python's secrets module) with at least 128 bits of entropy for any credential generation.

Vulnerability 5: Stack Buffer Overflow in pwn1 Service

Location

/root/git/pwn1/pwn1 on the router, listening on port 55 (TCP).

Description

The C program allocated a 16-byte buffer on the stack but read up to 1 MB of input. It then executed jmp *%rbp, allowing the attacker to control program flow via the rbp register.

Exploitation

A payload containing a NOP sled and execve shellcode was sent via netcat. cat was kept open to preserve stdin for the spawned shell:

(cat pwn1_payload; cat) | nc 10.0.42.1 55

Impact

root@router achieved.

Remediation

Enable stack protection (-fstack-protector), enable ASLR, and use safe input functions like fgets with a size limit. Never use unbounded reads into fixed-size buffers.

Vulnerability 6: Custom V8/WASM JIT Opcode — Arbitrary Code Execution

Location

wat container at 10.0.67.102:3000, running a patched Node.js 20.19.2.

Description

The Node.js installation was patched with a custom WASM opcode 0xcc called JmpRel(imm32). It emitted a raw x86 jmp instruction (E9 xx xx xx xx) directly into JIT-compiled code with no safety checks. Combined with the server instantiating WASM modules (including start sections) and running as root, this enabled arbitrary native code execution.

Exploitation

  1. A VXLAN VPN tunnel was established via vpn@printserver to reach the wat container
  2. A WASM module was constructed with a start section (auto-executed on new WebAssembly.Instance())
  3. i32.const instructions encoded shellcode bytes as immediates, and JmpRel jumped to them
  4. The x86 shellcode executed as root inside the wat container

Impact

Arbitrary code execution as root@wat. Because the wat container's nspawn configuration included Bind=/root, the container's /root/ directory shared the host's file system. Write access to /root/.ssh/authorized_keys gave full root access to the print server.

Remediation

  • Remove custom JIT opcodes from production environments
  • Never apply unvalidated JIT modifications
  • Run sandboxed services as unprivileged users with no-new-privileges
  • Avoid bind-mounting sensitive host directories (like /root/) into containers that expose network services

Full Attack Chain

SQL Injection (port 80)
    ↓ SSH credentials exfiltrated
user@hostcontainer
    ↓ apt post-invoke injection
root@hostcontainer
    ↓ LCG password cracking
root@router (10.0.42.1)
    ↓ Buffer overflow on port 55
root@router (confirmed)
    ↓ VXLAN VPN + WASM JIT exploit
root@wat → Bind=/root mount
    ↓
ROOT ACCESS TO PRINTSERVER ✓

Conclusion

This engagement covered a broad spectrum of security vulnerabilities — from web application flaws through reverse engineering, cryptographic weaknesses, and binary exploitation, all the way down to JIT-level code execution on a patched JavaScript runtime. The attack chain demonstrates how seemingly isolated low-severity issues can be combined to achieve full system compromise.