HTB: Vaccine Write-up

Description

“Vaccine” is a boot2root machine on Hack The Box. This machine is part of the starting point series. The operating system is Linux. Initial foothold on the machine could be accomplished through a SQL injection vulnerability in the web app. Privilege escalation to root could be accomplished because of sudo rights for the vi program. The FTP credentials ftpuser:mc@F1l3Z1lL4 from the last challenge were used to obtain sensitive data from the target.

Enumeration

The engagement was started with the following Nmap scan:

The Nmap scan revealed FTP on port 21, SSH on port 22 and an HTTP web server on port 80. It was possible to authenticate against the FTP server via the FTP credentials from the last challenge. The FTP server contains a file called “backup.zip”. This archive could be successfully downloaded on the attacker machine.

It turned out that the ZIP archive was password protected. So the password had to be cracked. zip2john was used to extract a password hash. Later the password could be successfully cracked with John the Ripper.

After extracting the archive, the web page’s code could be obtained. Analyzing the code there were hard coded credentials. The username was hard coded to admin. The password was hashed with the MD5 algorithm and saved inside the script. The password hash could be cracked with the site “Crackstation”.

With these credentials it was possible to log in to the web app.

On the admin interface it was possible to search inside a database. The parameter search was tested for a SQL injection.

First of all the session variable was obtained with the developer tools.

After that SQL map was used to identify SQL injection vulnerabilities. It was possible to find multiple SQL injection flaws for the search parameter.

Initial Access

This SQL injection vulnerability could be used to obtain a reverse shell. After running the following commands it was possible to connect back to the attacker machine.

During local enumeration on the box, the code of the “dashboard.php” page has been analyzed. This file is located at /var/www/html/dashboard.php. Inside the PHP script there were credentials for the postgres user.

With these credentials it was possible to login via SSH and get a better shell.

The sudo -l command was run to check if the postgres user can run commands in a context of another user. The postgres user could run the following command as root:

Privilege Escalation to “root"

The above command can be used to spawn a root shell. First of all the above vi command has been run with sudo.

Finally a root shell could be spawned by running the following commands inside the vi editor:

Mitigation

Credentials should not be hard coded inside a web app. Furthermore backups need to be protected with a much more complex password. Also keep in mind that it is possible to spawn a root shell with the vi editor. It is recommended to use another editor.

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!