Hack The Box: Perfection

What will you learn? Perfection is an easy rated Linux machine with a web application that may be used to determine test results for students. Due to regex filter bypass, this application is susceptible to Server-Side Template Injection (SSTI) for a Ruby backend. One can take advantage of the SSTI vulnerability to get an initial access to the machine. The user is a member of the `sudo` group when enumerated. Additional enumeration exposes a password hash database, and the user's mail contains a potential password format. The password of the user is retrieved by a mask attack on the hash, and this is used to obtain `root` access.

Let’s start enumerating the box:

The following interesting ports are open: 22 (SSH) and 80 (HTTP). It appears this web application is running a grade calculator of some sort on NGINX.

We can browse to this application and look at what is running on the backend with Wappalyzer to get an understanding of what we’re dealing with.

At the bottom of the page we can see a Ruby ran library for webservers, WeBrick version 1.7.0

We also can see some potential usernames on the about page.

The calculator page is interesting because it has a lot of input fields. Playing with it by filling out all the fields normally returns a calculated weight adding to 100.

We need to use Burpsuite to intercept the request and start testing potential payloads against this web application for a response. Here is the normal request and response, where we can start adding to see what happens.

Testing for SSTI where we can have information reflected back to us on the page, but for Ruby, I received a malicious input blocked.

The web application has input validation of some sort and is blocking what is bad characters. So we should look for a Ruby STTI payload to test for this at https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#ruby and we can use <%= 7 * 7 %>

We can copy our POST request to a file and then FUZZ to see what the bad characters are using a wordlist.

We will add the keyword FUZZ where we want to see that we’re adding characters in that position in the file.

We are going to get spammed with appearances of a certain filesize. We can filter on that on our following command by adding -fs <filesize> and it will omit those.

So now we can see that the only characters that are allowed are & / +. This is not a lot to work with, URL encoding is likely going to be required.

We can add a newline character that is encoded with %0a, include our payload but encode the % sign as %25, and add a semi-colon at the end to send a payload and find our we do have SSTI here.

Now that we’re able to test payloads we can use what is on payload all the things to extract the /etc/passwd file from the target.

Now we can attempt to create an initial foothold using a bash reverse shell inside of our encoded payload.

This is what we’re going to send. Using the + allowed characters in between our payload that works with the back end.

We’ve acquired the initial foothold on the box as the user Susan.

Use the first Python payload for a full TTY here: https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/full-ttys in order to get a more stable shell.

We can see that Susan is a part of the SUDO group, but we can’t list out SUDO permissions without having her password first.

Searching the file system will return to us an email regarding the way passwords are created.

In Susan’s home directory we have a relevant directory to the contents of the email. This is an SQLite database file.

We’re able to open this file using sqlite3, list the tables, find a users table, and dump everything from that to acquire a hash for our Susan user.

We can take this offline and use the tool hash-identifier to find out what Susan is using, and it appears her hash is SHA-256 encrypted.

In order to crack her password which we have some information about what it should be constructed of. We can do a MASK attack which is used to generate words matching a specific pattern. We know that the password will be susan _ nasus _ a number. So we can create that type of command set in hashcat.

Now that we have Susan’s password we can attempt it to see what sudo -l reveals. This tells us that she can run any command with sudo, so we can become the root user and root this box!