In this post, I would like to share a walkthrough of the Perfection Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Perfection machine?


For the user flag, you need to abuse the vulnerability that identified was in the “weighted grade calculator” application on the web server. After multiple unsuccessful attempts with various payloads, a template injection vulnerability was successfully exploited using Ruby payloads. This allowed for arbitrary code execution and the reading of the /etc/passwd file. Consequently, a reverse shell was obtained as the user ‘susan,’ whose home directory contained a database file with password hashes.


As for the root flag, you need to use hashcat to crack the hash for Susan’s account and leveraging information from an email file in /var/spool/mail, Susan’s password was obtained. With this password, it was discovered that ‘Susan’ had unrestricted sudo privileges, enabling direct escalation to root access.

Information Gathering on Office Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/perfection]
└──╼ $nmap -sC -sV 10.10.11.253 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2024-07-06 07:19 EDT
Nmap scan report for 10.10.11.253
Host is up (0.049s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.90 seconds
┌─[darknite@parrot]─[~/Documents/htb/perfection]
└──╼ $

Let’s access the website interface


Nothing interesting that we can look into on the website interface


We also cannot get anything useful via Burpsuite


Therefore, let’s visit another page by clicking the button “Calculate your weighted grade”


From the response, it shows that we need a total off 100 on the weight’s percentage


Let’s enter all column to inspect via Burpsuite


The response will look something as shown above


Let’s create a file that contain the reverse shell command which it will use to retrieve the reverse shell connection back to us


Let’s start our python server on our attacker’s machine


We also need to start our listener


After doing some research, we should be able to call our file by typing the curl command on the burpsuite


We managed to transfer the file into the victim’s machine


Boom! We have successfully retrieved the reverse shell connection back to us.


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


At last, we managed to read the email that explain the password


After a while, we managed to find the hash for the Susan Miller



Finally, we managed to obtain the password for susan


It looks like there’s nothing special binary to execute here.


We have successfully accessed the root shell


We can read the root flag by typing the “cat root.txt” command