Jewel Walkthrough

Hey Everyone! Today we have one of HackTheBox machines, โ€œJewelโ€. Itโ€™s a medium machine and depends on CVE for the exploitation process, before we get started letโ€™s see its info

Enumeration

At The first step, we will try to enumerate the box to collect information like:

  • Open ports

  • Hidden directories, parameter discovery, leaked secrets, etc. โ€œIf we have websiteโ€

  • Security modes for all servers and ports

So, we will start with Nmap

nmap -A -T4 10.10.10.211

We have 3 open ports 22/8000/8080

It seems that we have 2 websites working on these 2 ports 8000/8080 so letโ€™s check them

http://10.10.10.211:8080

We have a webpage with http-title Bl0G . Letโ€™s check the second one

http://10.10.10.211:8000

It redirects us to http://10.10.10.211:8000/gitweb and after searching about whatโ€™s gitweb Iโ€™ve found this result

I know that Iโ€™ve access to read or write to the Bl0G repos, so letโ€™s check the files, to try to find any secrets or any other information.

After spending a little time searching for any juicy file name database/login/users or any other keyword, Iโ€™ve found these results

And for filesโ€ฆ

I know that the Bl0G the website works on the rails framework, and also I've sql file, after checking it...

Iโ€™ve 2 usernames and 2 hashes, Iโ€™ve tried to crack them using hashcat but it fails, so I think itโ€™s a rabbit hole :(

But all, letโ€™s save them into any file and continue our enumeration.

After searching for a rails version, Iโ€™ve found that it works on rails 5.2.2.1

After searching for RCE CVEโ€™s for this version, Iโ€™ve found CVE 2020โ€“8165

Okay, letโ€™s try to exploit itโ€ฆ

Server Foothold & User Flag

After searching for any public exploit

Exploit details

Deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

How to exploit manually?

  1. Generate a payload from this repo

  2. Use this payload to change your username

  3. Refresh the /articles page to show your payload name

For the first one, Iโ€™ve problems with ruby the version which requires a specific version to run the exploit, to save my time Iโ€™ve used the second one which is written in python for this machine, and will exploit it also

After checking the exploit code to know how it works, here are the exploit arguments

python3 rev.py 10.10.xx.xx port

After trying to execute it, I faced a problem with a hex character, so I added a line to encode it

Letโ€™s run it and listen on our port using netcat

It works and we get the user flag.

Root Flag

For now, I need to enumerate this box to find any important info which led me the root account so instead of searching and enumerating the box manually cmd by cmd, I used LinPEAS automation tool which helps you find sensitive info and enumerate the server

After using it Iโ€™ve found these hashes

And after enumerating the backup file in /var/backups/dump_2020_08_27.sql Iโ€™ve found also another hash. For now, Iโ€™ve 3 hashed and 2 from the enumeration step at the first

Letโ€™s try to break them all using hashcat or john

As you can see john cracked one of them, and we have a password spongebob

Iโ€™ve tried to use this password for the root account, but it fails.

Letโ€™s check our home directory

We have a google_authenticator code seems interesting

Iโ€™ve tried to check my privileges by typing sudo -l but it requires a password which is spongebob and the Google authenticator verification code

So, Iโ€™ve used Google authenticator online service to generate the verification code as you can see

And type sudo -l and inserting the password and the code

Note: Your machine timezone MUST be the same with the server timezone โ€œThis is the mechanism which google authenticator worksโ€

If the timezones isnโ€™t the same, the code will expire for the server but it still active for your machine, hereโ€™s the point !!

After trying to know our privileges by sudo -l

Iโ€™ve permission to execute /usr/bin/gem as a root without requiring a password

After searching for how to escape from gem Iโ€™ve found this resource

You have 3 ways to open a shell from gem, you can use anyone of them.

Iโ€™ve used the first one and opens a root shell

Stay in touch

LinkedIn | GitHub | Twitter

Last updated