Machine / Machines

Vaccine - HTB Starting Point

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

FTP Anonymous -> backup.zip -> crack zip (741852963) -> web app creds (admin:qwerty789) -> SQLi on dashboard search -> RCE as postgres -> SSH key extraction -> sudo vi shell escape -> root 1. Credential chaining: Anonymous FTP -> ZIP password -> MD5 hash ->...

EasyPublished 2026-05-21Sanitized local writeup

Scenario

Vaccine - HTB Starting Point attack path

FTP Anonymous to backup.zip to crack zip (741852963) to web app creds (admin:qwerty789) to SQLi on dashboard search to RCE as postgres to SSH key extraction to sudo vi shell escape to root 1. Credential chaining: Anonymous FTP to ZIP credential to MD5 hash to ...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Vaccine - HTB Starting Point sanitized attack graph

Walkthrough flow

01

Lessons Learned

02

Phase 0: Setup

03

Phase 1: Recon

04

Phase 3: Synthesis

05

Phase 4: Foothold

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

57% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Vaccine/walkthrough.md
  • HTB/<TARGET>-Vaccine/notes.md

Technical Walkthrough

Vaccine - HTB Starting Point Walkthrough

Target Info

  • IP: <TARGET>
  • OS: Linux (Ubuntu 19.10)
  • Difficulty: Easy
  • Chain: Archetype -> Oopsie -> Vaccine

Attack Chain Summary

FTP Anonymous -> backup.zip -> crack zip (741852963) -> web app creds (admin:qwerty789) -> SQLi on dashboard search -> RCE as postgres -> SSH key extraction -> sudo vi shell escape -> root

Lessons Learned

  1. Credential chaining: Anonymous FTP -> ZIP password -> MD5 hash -> web login -> SQLi -> SSH key -> sudo privesc. Each step builds on the last.
  2. ZIP password cracking: Always try zip2john + rockyou for <password redacted> archives.
  3. PostgreSQL COPY FROM PROGRAM: When sqlmap identifies PostgreSQL with DBA privileges, --os-cmd uses COPY ... FROM PROGRAM for RCE.
  4. vi sudo escape: When vi or vim can be run as root via sudo, use :!command to execute arbitrary commands as root.
  5. Non-interactive vi exploitation: Use pexpect (Python) when expect is unavailable for automating interactive terminal programs through multiple SSH hops.
  6. SSH key extraction: Always check ~/.ssh/ directories of compromised users for additional access methods.

Tools Used

  • nmap, john/zip2john, sqlmap, pexpect (Python), SSH

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: <TARGET>
  • Attacker (VPN): <TARGET>
  • Pwnbox: <TARGET> (x08)
  • Difficulty: Easy
  • OS: Linux
  • Started: 2026-05-05

Chain Context

Archetype -> Oopsie -> Vaccine (Starting Point chain)

Known creds from previous boxes:

  • admin:MEGACORP_4dm1n!! (Archetype)
  • robert:M3g4C0rpUs3r! (Oopsie)
  • ftpuser:mc@F1l3ZilL4 (possible from Oopsie)

Phase 0: Setup

  • [x] Pwnbox SSH verified
  • [x] Target reachable (ping OK, TTL=63 -> Linux)
  • [x] Workspace created

Phase 1: Recon

Nmap (21:12 CDT)

  • 21/tcp - FTP vsftpd 3.0.3 (Anonymous login allowed, backup.zip found)
  • 22/tcp - SSH OpenSSH 8.0p1 Ubuntu
  • 80/tcp - HTTP Apache 2.4.41 (Ubuntu), "MegaCorp Login", PHP (<secret redacted>)

FTP Anonymous Access

  • Downloaded backup.zip (2533 bytes)
  • ZIP is <password redacted> (contains index.php, style.css)

ZIP Cracking (zip2john + john)

  • Password: <redacted>

index.php Contents

  • Login check: username=admin, md5(password) = <hash redacted>
  • MD5 cracked with john: qwerty789
  • Web creds: admin:qwerty789

Web App (dashboard.php)

  • "MegaCorp Car Catalogue" with search box (GET parameter search)
  • PostgreSQL backend confirmed (error-based SQLi with single quote)

Phase 3: Synthesis

Services: FTP (anon), SSH, HTTP (PHP+PostgreSQL)

Credentials found: admin:qwerty789 (web), P@s5w0rd! (postgres DB)

Attack path: SQLi -> os-cmd via COPY FROM PROGRAM -> user flag -> sudo vi privesc -> root

Backup path: SSH key extraction from postgres user

Phase 4: Foothold

SQLi via sqlmap

  • sqlmap -u 'http://<TARGET>/dashboard.php?search=test' --cookie: <redacted>' --os-cmd='...'
  • Injection types: boolean-blind, error-based, stacked queries, time-based
  • RCE as postgres (uid=111)
  • User flag in /var/lib/postgresql/user.txt

SSH Key Extraction

  • Found /var/lib/postgresql/.ssh/id_rsa via os-cmd
  • Used key to SSH directly as postgres

Database Credentials

  • pg_shadow: postgres:md52d58e0637ec1e94cdfba3d1c26b67d01
  • dashboard.php connection string: postgres:P@s5w0rd!

Phase 5: Privilege Escalation

sudo -l (with password P@s5w0rd!)

text
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

vi Shell Escape

  • Used pexpect on Pwnbox for interactive session
  • Ran :!cat /root/root.txt > /tmp/rootflag.txt from within vi
  • Root flag captured

Flags

  • User: <hash redacted>
  • Root: <hash redacted>

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase