Perfection HTB
by kpax
We find that using bad characters gives us a warning about malicious characters. Add an encoded newline %0A allows us to put any characters we want.
We try the ruby payloads at Payload all the things and find that <%25= 7 * 7 %25> gives us an output of 49 * %25 is encoded %
We can get code execution by using backticks
<%= `ls /` %>
From this we can get a shell.
There is a sqlliteDB in susans home directory called pupilpath_credentials.db
Dumping this with sqlite3 we get some hashes that don’t crack with rockyou
There is an email in susans mail that reads
Due to our transition to Jupiter Grades because of the PupilPath data breach, I thought we should also migrate our credentials ('our' including the other students
in our class) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:
{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}
Note that all letters of the first name should be convered into lowercase.
Please hit me with updates on the migration when you can. I am currently registering our university with the platform.
- Tina, your delightful student
This tells us that susan’s password may well be susan_nasus_dddddddd
We can use hashcat to brute force this
.\hashcat.exe -m 1400 -a3 .\hashes\perfection.txt --increment susan_nasus_?d?d?d?d?d?d?d?d?d?d
Susan is a member of the sudo group, so we can just sudo -i and enter the password to get to root.