Machine name: vaccine stuck on getting SQL code execution shell

Hi forum, a bit stuck here on starting point machine vaccine.

Everything has gone well so far up until the point that I attempt to get code execution with sqlmap.

Running the command below identifies multiple injection points. Good, as expected.
sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls”

Then running:
sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls” --os-shell

Causes a connection timeout. I lose my session on the page and have to close the browser and reopen it before I can get back to the login page. The ntework stays up and I can ping 10.10.10.46 when this happens.

After reopening the browser and getting a new PHP session ID I can rerun the commands above but they drop the connection again. Any ideas?

Also just to add, I did update the command with the new PHP Session ID when this happened…

The same is happening to me. Voted to reset lab just in case. And yes, I tried with several PHP Sessions ID cookies.

The connection always drop at this point:


“testing if current user is DBA”

And it just timeout.

same exact issue, apparently this isn’t uncommon, Starting Point machine [Vaccine] - Machines - Hack The Box :: Forums locked out of both EU and US now

Glad I stumbled upon this. I started Vaccine a little bit ago and kept running into connection timeout when issuing sqlmap command with --os-shell. Tried different session IDs and kept running into the same thing.

Do you just wait it out at this point?

Today I came up to the same issue (EU server). Couple of hours later I tried again and it worked. Opening the address in browser also timed out when there was a problem with sqlmap.

ok good stuff thanks for confirming that> @redrom01 said:

The same is happening to me. Voted to reset lab just in case. And yes, I tried with several PHP Sessions ID cookies.

The connection always drop at this point:


“testing if current user is DBA”

And it just timeout.

yep I had this too. Voting to reset.

I was the fifth reset vote. Its just reset.

Its still timing out for me though…

Hello,
Any of you have issues with the version of PostgreSQL? After successfully running the sqlmap, i get the following:

[13:57:17] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[13:57:17] [INFO] fingerprinting the back-end DBMS operating system
[13:57:17] [INFO] the back-end DBMS operating system is Linux
[13:57:18] [INFO] testing if current user is DBA
[13:57:18] [WARNING] the SQL query provided does not return any output
[13:57:18] [WARNING] running in a single-thread mode. Please consider usage of option ‘–threads’ for faster data retrieval
[13:57:18] [INFO] retrieved:
[13:57:18] [WARNING] unexpected HTTP code ‘302’ detected. Will use (extra) validation step in similar cases

[13:57:19] [INFO] detecting back-end DBMS version from its banner
[13:57:19] [INFO] resumed: ‘’

[13:57:19] [CRITICAL] unsupported feature on versions of PostgreSQL before 8.2

What command did you execute? I am about to test this again shortly i’ll update the results after doing so.

Nope. I am still getting disconnected after running:

sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID=73jv7pdmjsv7dsspoqtnlv66ls” --os-shell

sqlmap worked just fine without the --os-shell

@NeoCortex2000 Of course you can also do the injection manually. First, it would be a very good exercise, and second, it worked (I just tested it)

I got to thinking last night about alternative approaches to getting into this machine but was drawing blanks so thanks for the suggestion!

Could you provide a little more detail on how one would approach manual injection please?

Hi all,

I’m stuck on the machine as well, mainly because --os-shell in sqlmap times out and seems to invalidate my current session cookie.

I’ve gotten to the point now where I can manually navigate the tables and run simple commands via code in the search box (e.g. run “ls” and print the output in the first column).

Where I’m stuck now is getting shell or a reverse shell to run. Using any variation of “nc” just exits with error code 1 or 2.

Appreciate any pointers!

Thx!

Im still stuck on this too… pointers double appreciated!

@sechzehn If you can already navigate trough the tables your almost done. Think about what you could find in the tables? A username? Maybe a hashed password? On the machine ssh is activated with your gained information you could just simply login via ssh instead of trying to upload a shell :wink:

I think it’s not a problem with the machine itself but rather something caused by users messing around in /etc/postgresql since I had the same problem but was able to complete the machine successfully by exploiting immediately after a reset. Little tip: the section of the walktrough mentioning vim does not mean you have to edit the file!

Hello everyone,

For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

Thank you.

Type your comment> @0nenine9 said:

Hello everyone,

For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.

Thank you.

I’ve been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again… Very frustrating, especially as this is supposed to be a beginner box.

Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I’m willing to just throw money at the issue so I can move on.

1 Like