In this post, I would like to share a walkthrough of the Perfection Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Perfection machine?
For the user flag, you need to abuse the vulnerability that identified was in the “weighted grade calculator” application on the web server. After multiple unsuccessful attempts with various payloads, a template injection vulnerability was successfully exploited using Ruby payloads. This allowed for arbitrary code execution and the reading of the /etc/passwd file. Consequently, a reverse shell was obtained as the user ‘susan,’ whose home directory contained a database file with password hashes.
As for the root flag, you need to use hashcat to crack the hash for Susan’s account and leveraging information from an email file in /var/spool/mail, Susan’s password was obtained. With this password, it was discovered that ‘Susan’ had unrestricted sudo privileges, enabling direct escalation to root access.
Information Gathering on Office Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/perfection]
└──╼ $nmap -sC -sV 10.10.11.253 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2024-07-06 07:19 EDT
Nmap scan report for 10.10.11.253
Host is up (0.049s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_ 256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open http nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.90 seconds
┌─[darknite@parrot]─[~/Documents/htb/perfection]
└──╼ $
Let’s access the website interface
Nothing interesting that we can look into on the website interface
We also cannot get anything useful via Burpsuite
Therefore, let’s visit another page by clicking the button “Calculate your weighted grade”
From the response, it shows that we need a total off 100 on the weight’s percentage
Let’s enter all column to inspect via Burpsuite
The response will look something as shown above
Let’s create a file that contain the reverse shell command which it will use to retrieve the reverse shell connection back to us
Let’s start our python server on our attacker’s machine
We also need to start our listener
After doing some research, we should be able to call our file by typing the curl command on the burpsuite
We managed to transfer the file into the victim’s machine
Boom! We have successfully retrieved the reverse shell connection back to us.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
At last, we managed to read the email that explain the password
After a while, we managed to find the hash for the Susan Miller
Finally, we managed to obtain the password for susan
It looks like there’s nothing special binary to execute here.
We have successfully accessed the root shell
We can read the root flag by typing the “cat root.txt” command
No responses yet