In this post, I would like to share a walkthrough of the Perfection Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Perfection machine?

For the user flag, you need to abuse the vulnerability that identified was in the “weighted grade calculator” application on the web server. After multiple unsuccessful attempts with various payloads, a template injection vulnerability was successfully exploited using Ruby payloads. This allowed for arbitrary code execution and the reading of the /etc/passwd file. Consequently, a reverse shell was obtained as the user ‘susan,’ whose home directory contained a database file with password hashes.

As for the root flag, you need to use hashcat to crack the hash for Susan’s account and leveraging information from an email file in /var/spool/mail, Susan’s password was obtained. With this password, it was discovered that ‘Susan’ had unrestricted sudo privileges, enabling direct escalation to root access.

Information Gathering on Office Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/perfection]
└──╼ $nmap -sC -sV 10.10.11.253 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2024-07-06 07:19 EDT
Nmap scan report for 10.10.11.253
Host is up (0.049s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.90 seconds
┌─[darknite@parrot]─[~/Documents/htb/perfection]
└──╼ $

Let’s access the website interface

Nothing interesting that we can look into on the website interface

We also cannot get anything useful via Burpsuite

Therefore, let’s visit another page by clicking the button “Calculate your weighted grade”

From the response, it shows that we need a total off 100 on the weight’s percentage

Let’s enter all column to inspect via Burpsuite

The response will look something as shown above

Let’s create a file that contain the reverse shell command which it will use to retrieve the reverse shell connection back to us

Let’s start our python server on our attacker’s machine

We also need to start our listener

After doing some research, we should be able to call our file by typing the curl command on the burpsuite

We managed to transfer the file into the victim’s machine

Boom! We have successfully retrieved the reverse shell connection back to us.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

At last, we managed to read the email that explain the password

After a while, we managed to find the hash for the Susan Miller

Finally, we managed to obtain the password for susan

It looks like there’s nothing special binary to execute here.

We have successfully accessed the root shell

We can read the root flag by typing the “cat root.txt” command