Enumeration & Reconnaissance
I started with a full-port Nmap scan to map the attack surface of the Vaccine target.
The scan revealed an FTP service (port 21) allowing anonymous access, an SSH service (port 22), and an HTTP web application on port 80. The FTP server contained a backup zip file that hinted at the web application stack.
SQL Injection Foothold
The web application at http://vaccine.htb presented a login portal for a vaccine management system. I tested for SQL injection by submitting a single quote (') into the username field, which triggered a database error — a clear sign of SQLi vulnerability.
Using sqlmap, I enumerated the database and dumped credentials from the pg4w database. The hash was a bcrypt password that cracked to reveal credentials for the postgres user:
sqlmap -u "http://vaccine.htb/index.php" --method POST --data "username=admin&password=admin" --batch --dumpThe pg4w (PostgreSQL for Windows) tool uses a config file at C:\ProgramData\pg4w\pg4w.conf that stores passwords in plaintext. With the Postgres credentials, I connected to the database and extracted the password stored in the pg4w configuration, which gave me a foothold on the system.
Post-Exploitation & Lateral Move
With initial access, I enumerated the file system and discovered credential files that allowed lateral movement within the host. The postgres user had a home directory containing SSH keys and configuration files.
I discovered that the same password was reused across multiple services. By checking password managers and configuration files, I found credentials that granted access to the www-data user context.
Privilege Escalation to Root
Running sudo -l revealed that the current user could execute /bin/vi as root without a password. This is a well-known privilege escalation vector — vi can spawn a shell from within the editor using :!sh.
sudo /bin/vi -c ':!sh'This spawned a root shell, granting full control over the system. The root flag was located at /root/root.txt.
Flag Capture
cat /home/postgres/user.txtcat /root/root.txt