Open in app

Sign in

Write

Sign in

HackTheBox | Perfection Walkthrough

Abdulrhman
3 min readJun 10, 2024

Hello Friends, back again with a new HTB machine walkthrough.

Hope you are doing well ❤️

let’s get started with enumeration.

Enumeration

Nmap Scan

nmap -T4 -v -p- -sCV <target_ip>

By running this command, as usual we got two open ports: port 22 running a SSH, port 80 running HTTP.

Web Enumeration

Web Interface

Doing some manual enumeration, we got some useful informations that can help when we move forward.

Interesting Information

The application is powered by WEBrick 1.7.0.

By navigating to About Us page, I was able to get two users Tina Smith and Susan Miller.

About Us page

Let’s move forward and got to Calculate your weighted grade page.

Calculate your weighted grade page

As I know, this type of features may be using Templates. So here I googled What template does WEBrick 1.7.0 use and as I expected it use Ruby ERB template.

So let’s try to inject some Ruby ERB SSTI payloads.

Note: The weight parameters must have the sum of 100, this is a little bit noisy

Trying some SSTI payloads in any one of category parameters, this one worked with me after try and error.

%0A<%= system("command") %>

You should URL-Encode the payload to prevent errors and bypass any limitation

Test SSTI Payloads

So let’s get a Shell on the box

RCE on the Box

Lateral Movement

Enumeration

By doing some basic enumeration, I found an interesting directory in the home directory.

Found Interesting Directory

So let’s get the dump the database file.

Found Susan hash

We get the other user’s hash, let’s crack it and move forward.

Here, The hash was uncrackable so let’s do more further enumeration to collect more information that may help.

After some time of manual enumeration, I found an interesting mail.

Interesting mail

We got a hint about how the password may look like.

So let’s bruteforce it.

hashcat -m 1400 <found_hash> -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
Bruteforcing
We get the password

After we got the password, Let’s login with susan or we can now ssh into the box.

Privilege Escalation

By running sudo -l as a basic enumeration, I got shocked. we find out susan is able to act as root.

root

Conclusion

This was great fun!

I hope you enjoyed the walkthrough. I waiting for your feedbacks.

Don’t forget to check other walkthroughs.

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cybersecurity
Htb
Hackthebox
Hacking
Ctf

Abdulrhman
Abdulrhman

Written by Abdulrhman

10 Followers
47 Following

No responses yet

Write a response

What are your thoughts?

More from Abdulrhman

See all from Abdulrhman

Recommended from Medium

Lists

Spell AI Automation
An image by the author.
iPhone displaying the new intelligent Siri

Tech & Tools

23 stories409 saves

Medium's Huge List of Publications Accepting Submissions

414 stories4678 saves

Staff picks

826 stories1649 saves
Robot hand touching human hand

Natural Language Processing

1977 stories1619 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams