4. Perfection

4.1. Machine Info

image-20240303061703885

<<<<<<< HEAD

4.2. Recon

4.2.1. port

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)
|_  256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)
80/tcp open  http    nginx
|_http-title: Weighted Grade Calculator
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

path: nothing

subdomain: nothing

4.2.2. web

  • env: Ruby, WEBrick

  • function: web calculator

image-20240303061942615

The input has some restrictions:

image-20240303062116511

4.3. Foothold

=======

38e3e6a ([+] Add season4 machine info.)

Notice: the full version of write-up is here.

4.4. Exploit Chain

port scan -> ruby web calculator -> ssti poc -> ssti rce -> susan priv -> sqlit db with hashes & mail dir with password rule -> hashcat to crack -> root