This was a fun challenge with a name that was quite apropos. I started by using an FTP server with an anonymous login to download a file that had a hash for an admin user to a website. Then I used those credentials to launch a shell via sqlmap. After that, I was able to obtain privilege escalation to root by exploiting sudo permissions for a generic user on the web server.

I started with a basic nmap scan:

Nmap scan

The FTP server seemed like the obvious choice. So I logged in with the “anonymous” username and downloaded a file called backup.zip:

Downloading file from FTP

I tried opening the zip file and I was prompted for a password:

Zip password

I remembered reading once that zip passwords were a joke and that I shouldn’t even bother with them, so I started to Google ways to bypass this. I realized John could do it, with a program called zip2john, so I checked to see if I had that on my Kali VM:

I have zip2john

I sure did. I cracked the zip file password, which was a number. I then used that to open the zip archive, which had two files: index.php and style.css.

Cracking the zip file

I opened index.php, and there was an admin hash starting at me in the first few lines:

Hash in index.php file

How convenient. I tried some basic cracking with John, but that was a no go:

John didn’t work

So then I tried hashcat using MD5 mode first (-m 0) with rockyou.txt and BINGO, password was qwerty789:

Hashcat cracking

I went to the website and used the password and user “admin” to log in. When I did, it looked like there was a car catalog database. And a search bar! That was full of possibilities.

Web site

Search option with a catalog

I decided to search for one of the listed cars to confirm the search function worked. This also gave me a working URL I could use with sqlmap later.

Searching for an item in inventory

Then I searched for an apostrophe and got an SQL error. It looked like this was open to injection:

Logging In

Around this time my HTB instance decided to crap out, so I had to re-spawn a new one with a different IP address. But once that was done, I started up sqlmap and put in the PHPSESSID I had for the admin user. It was definitely open to injection:

Scanning the site with sqlmap

Then I tried using the --os-shell argument to see if I could get some type of shell. It worked. Then I looked up the syntax needed to create a reverse bash shell.

Getting a shell with sqlmap

I started up a listener on my end and executed the command, which gave me the bash shell. I typed the command python3 -c 'import pty;pty.spawn("/bin/bash")' and used the Pseudo-terminal utilities library in Python to create an interactive shell.

Once that was done I started looking up information on the user account I was in. I was logged in as the user “postgres” as part of the PostgresSQL server.

Looking around

I tried looking at the sudo permissions, but of course I didn’t have the user’s password:

Trying to look at sudo permissions

So I started looking around to see if there might be a password hiding in plain text somewhere on the server or in the command history. After a bit, I got it in the file dashboard.php. The password was P@s5w0rd!:

Another password found

With the password I was able to look up sudo permissions, and the user had permission to run the command /bin/vi /etc/postgressql/11/main/pg_hba.conf as root:

User’s sudo permissions

This was to allow the user to edit an authentication configuration file. But I also knew that the vi text editor could be used to launch shells as well. I used the sudo command to open the file, and then I hit the escape key, and entered !/bin/bash to launch a shell. Because this command was launched with root permissions I got a root shell. Game over.

I got the root shell