Perfection (Hack the Box) - Lecture Notes

Jul 23, 2024

Perfection (Hack the Box) - Lecture Notes

Introduction

  • Presenter: Ipseg
  • Platform: Hack the Box
  • Challenge: Perfection
  • Main Topic: Hacking a web application for calculating weighted grades

Key Steps Overview

  1. Identify Vulnerability: Server-Side Template Injection (SSTI) or similar bypass
  2. Bypass Filter: Use line breaks to bypass regular expression blocking characters
  3. Get Shell Access: Exploit to execute code and gain access to the box
  4. Extract Password: Retrieve password hash from SQLite database
  5. Crack Password: Use Hashcat with custom rules for brute-forcing
  6. Privilege Escalation: Escalate privileges to root using the cracked password

Detailed Walkthrough

Initial Recon with Nmap

  • Command: nmap -SC -SV -VV -oA nmap/perfection 10.10.11.253
  • Open Ports:
    • Port 22: SSH (Ubuntu server banner)
    • Port 80: HTTP (Nginx, title: weighted grade calculator)

Exploring the Website

  • URL: http://10.10.11.253
  • Pages: Home (grade calculator), About Us (names but no login form)
  • Initial Test: Fill out grade form manually and intercept using Burp Suite

Bypassing Input Filters

  • Filter Mechanism: White list with regex, allows certain characters only
  • Bypass: Include a newline ( or %0A) which is not checked by regex
  • SSTI Payload Testing: Use double brackets {} for payloads, test through Burp Suite

Payload Exploit

  • Detect Vulnerability: Execute simple Ruby operation 7*7 within template
  • Command Execution: Use backticks and system calls, e.g., #{ls}
  • Reverse Shell Payload: Delivered using base64 encoded commands to handle special characters

Post-Exploit Enumeration

  • Upgrade Shell: Use Python pty module
  • Examine Files: main.rb for understanding the code and vulnerability
  • Main Discovery:
    • Uses ERB.new for templates, allowing code execution
    • Filter bypass through line breaks

Password Hash Extraction

  • Database: SQLite database in 'pupil' file
  • Command: sqlite3 pupil 'select name, password from users'
  • Identify Hash: SHA-256 format and extract relevant hashes for brute-forcing

Brute-Forcing Password with Hashcat

  • Mail Hint: Password format (first name + reversed first name + integer)
  • Hashcat Command: hashcat -a 3 -m 1400 hashes/perfection 'susan_nasus_{integer}'
  • Cracking Method: Direct brute-force vs. combinator attack mode
  • Efficiency:
    • Brute force: Faster due to less processing
    • Combinator attack: Slower and only uses one GPU

Gaining Root Access

  • Cracked Password: Use cracked password for sudo access
  • Command: sudo su to escalate privileges
  • Verify Root Access: Check with whoami

Conclusion

  • Summary: Successfully exploited SSTI vulnerability, bypassed filters, gained initial access, extracted and cracked the password, and escalated to root.

  • Key Learnings: Understanding SSTI, filter bypass techniques, password cracking with complex rules, and efficient use of Hashcat.

  • Tools Used: Nmap, Burp Suite, SQLite3, Hashcat

Final Thoughts

  • Effective use of enumeration and understanding of bypass techniques are crucial in exploiting vulnerabilities in web applications.

Additional Resources

  • Payload Examples: Refer to PayloadsAllTheThings and HackTricks for SSTI payloads
  • Hashcat Documentation: Official Hashcat documentation for attack modes and rule-based attacks