Jewel,a Linux box created by HackTheBox user polarbearer, was an overall medium difficulty box.Initial foothold was analysing the code and finding a CVE for that (rails deserilaztion to RCE), using that we can get a shell(This was the hardest part of the box). After having the shell we need to find a database dump which contain some hash, cracking that we get password for user
sudo -l revel we need verfication code. we can use
.google_authenticator in the user home directory to generate the code using which see that we can run
gem, checking GTFOBINs and using that we can get root.
# Nmap 7.80 scan initiated Sun Oct 11 12:35:51 2020 as: nmap -Pn -sC -sV -oN nmap/jewel 10.10.10.211
Manually enumerating i got two hashes
Trying to crack the hash we were not successful. So I stopped looking at this.
Looking around code we don’t see nothing much interesting
Googling around we stumble upon CVE-2020-8165 and comparing the code we saw the users_controller.rb.
So now we know we need to send the payload on
so I generate the payload as
And staged the payload by
and we trigger the payload by opening the website once more.
We need to be logged-in for this we can create a new user and do that.
I even wrote a script to get the shell get-user.py
And we can get a shell by that as bill
Running linpeas we a really interesting file as
Checking that we find two new hash and we can crack
john and we get the password as
Lets try to run
sudo -l with that
We know that is stored in
.google_authenticator file which contained the secret
using that on gen-totp
we can get a token and run
sudo -l again
we see that we can run
gem with these information we can use gtfobins to get a shell as root.
and we have pwned