“Vaccine” is a boot2root machine on Hack The Box. This machine is part of the starting point series. The operating system is Linux. Initial foothold on the machine could be accomplished through a SQL injection vulnerability in the web app. Privilege escalation to root could be accomplished because of sudo rights for the
vi program. The FTP credentials
ftpuser:mc@F1l3Z1lL4 from the last challenge were used to obtain sensitive data from the target.
The engagement was started with the following Nmap scan:
nmap -sC -sV -O -oN nmap/inital 10.10.10.46
The Nmap scan revealed FTP on port 21, SSH on port 22 and an HTTP web server on port 80. It was possible to authenticate against the FTP server via the FTP credentials from the last challenge. The FTP server contains a file called “backup.zip”. This archive could be successfully downloaded on the attacker machine.
It turned out that the ZIP archive was password protected. So the password had to be cracked.
zip2john was used to extract a password hash. Later the password could be successfully cracked with John the Ripper.
zip2john backup.zip > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
After extracting the archive, the web page’s code could be obtained. Analyzing the code there were hard coded credentials. The username was hard coded to
admin. The password was hashed with the MD5 algorithm and saved inside the script. The password hash could be cracked with the site “Crackstation”.
With these credentials it was possible to log in to the web app.
On the admin interface it was possible to search inside a database. The parameter
search was tested for a SQL injection.
First of all the session variable was obtained with the developer tools.
After that SQL map was used to identify SQL injection vulnerabilities. It was possible to find multiple SQL injection flaws for the
sqlmap -u http://10.10.10.46/dashboard.php?search=test --cookie 'PHPSESSID=atju8r33d38o4qiqrjquirdll6'
This SQL injection vulnerability could be used to obtain a reverse shell. After running the following commands it was possible to connect back to the attacker machine.
sqlmap -u http://10.10.10.46/dashboard.php?search=test --cookie 'PHPSESSID=atju8r33d38o4qiqrjquirdll6' --os-shell
During local enumeration on the box, the code of the “dashboard.php” page has been analyzed. This file is located at
/var/www/html/dashboard.php. Inside the PHP script there were credentials for the
With these credentials it was possible to login via SSH and get a better shell.
sudo -l command was run to check if the
postgres user can run commands in a context of another user. The
postgres user could run the following command as root:
Privilege Escalation to “
The above command can be used to spawn a root shell. First of all the above
vi command has been run with
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
Finally a root shell could be spawned by running the following commands inside the
Credentials should not be hard coded inside a web app. Furthermore backups need to be protected with a much more complex password. Also keep in mind that it is possible to spawn a root shell with the
vi editor. It is recommended to use another editor.