AFZ-logo

JeeZy Blog

vaccine

Vaccine writeup

Task 1


Besides SSH and HTTP, what other service is hosted on this box?

Using a simple nmap -sV -O IP

Answer : FTP

Task 2


This service can be configured to allow login with any password for specific username. What is that username?

Answer : anonymous

vaccine_1

Task 3


What is the name of the file downloaded over this service?

vaccine_2

Answer : backup.zip

Task 4


What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?

Answer : zip2john

zip2john is a tool used to extract password hashes from encrypted ZIP files, allowing them to be cracked using John the Ripper. It works by converting the ZIP file into a format that John the Ripper can process. This helps security professionals and penetration testers recover forgotten passwords or assess the strength of ZIP file encryption. vaccine_3

We get the password hash then we use john to crack it (using the default john's wordlist) :

vaccine_4

We get the password in orange.

Task 5


What is the password for the admin user on the website?

Searching the password within the files in the zip we unlocked, we find this code snippet :

vaccine_5

As stated in the code, we only have the MD5 hash of the password, here you can use any tool you want to crack it : John, Hashcat, online tool...

For instance we used md5decrypt :

vaccine_6

Answer : qwerty789

After logging into the target website, we can see a user input field (search bar). By testing it, we obtain the following URL parameter:

vaccine_7

We will use sqlmap to determine if it's SQLi vulnerable, and to bypass the login page we use the Session ID cookie :

vaccine_8vaccine_9

Task 6


What option can be passed to sqlmap to try to get command execution via the sql injection?

Answer : --os-shell

The next step is getting a reverse shell on our target, so you can take a one-liner on Revshells, start netcat, add --os-shell to the previous command and send the payload :

vaccine_10vaccine_11

Also we are using rlwrap which enhances the interactivity of a reverse shell by providing features like Line editing (can use arrows to navigate), History and Tab completion.

Task 7


What program can the postgres user run as root using sudo?

To answer we first think of the sudo -l command, but we need the password of the postgres user so let's check some usual directories where a misconfiguration can happen (hardcoded password, logs, ...) :

vaccine_12vaccine_13

Okay so we have the password for the postgres user, let's first connect to the target (again) using ssh so we have a more stable shell.

vaccine_14

And then sudo -l :

vaccine_15

Answer : vi

Task 8


Submit user flag

Answer : Found in /home/postgres

Task 9


Submit root flag

We know we can run vi as root for the /etc/postgresql/11/main/pg_hba.conf file, let's check on GTFOBins if we can leverage this :

vaccine_16

Let's apply it in our case :

vaccine_17

Once pg_hba.conf opened with vi, we will use the (b) option so type :set shell=/bin/sh then :shell

We are now root and I let you find the flag by yourself.

AFZ-logoJeeZy Blog

© 2024-2025 JeeZy Blog