Hackthebox - Jewel

Summary

Jewel,a Linux box created by HackTheBox user polarbearer, was an overall medium difficulty box.Initial foothold was analysing the code and finding a CVE for that (rails deserilaztion to RCE), using that we can get a shell(This was the hardest part of the box). After having the shell we need to find a database dump which contain some hash, cracking that we get password for user bill using sudo -l revel we need verfication code. we can use .google_authenticator in the user home directory to generate the code using which see that we can run gem, checking GTFOBINs and using that we can get root.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.80 scan initiated Sun Oct 11 12:35:51 2020 as: nmap -Pn -sC -sV -oN nmap/jewel 10.10.10.211
Nmap scan report for 10.10.10.211
Host is up (0.084s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
| 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open http Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 10.10.10.211 Git
|_Requested resource was http://10.10.10.211:8000/gitweb/
8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 11 12:36:18 2020 -- 1 IP address (1 host up) scanned in 27.32 seconds

Web 8000

Manually enumerating i got two hashes

Trying to crack the hash we were not successful. So I stopped looking at this.

Web 8080

Looking around code we don’t see nothing much interesting

Googling around we stumble upon CVE-2020-8165 and comparing the code we saw the users_controller.rb.

So now we know we need to send the payload on username

so I generate the payload as

And staged the payload by

and we trigger the payload by opening the website once more.

We need to be logged-in for this we can create a new user and do that.

I even wrote a script to get the shell get-user.py

User (bill)

And we can get a shell by that as bill

Running linpeas we a really interesting file as /var/backups/dump_2020-08-27.sql

Checking that we find two new hash and we can crack bill using john and we get the password as spongebob

bill:spongebob

Lets try to run sudo -l with that

We know that is stored in .google_authenticator file which contained the secret

using that on gen-totp

we can get a token and run sudo -l again

we see that we can run gem with these information we can use gtfobins to get a shell as root.

and we have pwned Jewel 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/jewel/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.