Initial scan of Vaccine shown 3 open ports.
Anonymous login to FTP is allowed.
Backup is password protected, although it is a zip
Zip contains index.php with credentials to admin account. Password is in MD5 hash format.
I used john again to crack a hash:
I used admin credentials to log to admin account on port 80
It looks like a GET parameter is used by this PHP site:
By using apostrophe, I got information about SQL Query error.
I copied GET request for this form from Burp to file.
Now I can use this request in sqlmap
If GET parameter is vulnerable I can try to use –os-shell in sqlmap.
I created another more stable shell
Because this user doesn’t have many accesses, I checked /var/www and found php file with password of file. Using this credentials I can SSH to machine.
user can run VI which is vulnerable for privilege escalation https://gtfobins.github.io/gtfobins/vi/
In order to escalate privileges I had to run following commands:
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
Inside vim:
:set shell=/bin/sh
:shell
How to exit VIM??!? -> :q
🙂