Hack The Box - Jewel Walkthrough without Metasploit
PreviousHack The Box - Laboratory Walkthrough without MetasploitNextHack The Box - Feline Walkthrough without Metasploit
Last updated
Last updated
Let's run our NmapAutomator script for a first recon:
We have three ports open: 22, 8000, 8080. First thing we do is add jewel.htb to our /etc/hosts and then we will take a look at the http ports.
This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or its rsa key.
8000 & 8080
We have two http ports open, on port 8000 we have an Apache running and on 8080 we have nginx running
8000
According with our Nmap there's a gitweb on port 8000 so let's check that out first:
There's one project on Gitweb, BL0G!, lets inspect it a bit:
There are some files that might be useful like Gemfile or bd.sql, if we click on them:
We can see that the BL0G! is written using Ruby 2.5.5 with rails version 5.2.2.1
We found two possible users, bill and jennifer with their hashes, let's use hashcat in order to attempt to crack it. First let's identify the kind of Hash we are working with:
After an awful lot of time (for a CTF) we stopped Hashcat since we couldn't crack any password. We also tried with john:
We did not have much luck cracking those passwords with neither John nor Hashcat so let's focus on the next port.
8080
We start by running Gobuster on this port
Here is where the Blog of the previous gitweb is being hosted:
We can try to sign up and see if we can do something:
We could Register on the blog:
Now we log in with our new evil user:
We can edit our username, maybe we can leverage that:
So far, we know we are on a Blog made with ruby (2.5.5) on rails (5.2.2.1) and we can create a user and modify its username, with some google searches we found this CVE - CVE-2020-8165
Allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. In other words, if we can modify our username, we can potentially get RCE.
Looking a bit more about that CVE we found a nice github repository that exploits it:
We follow the instructions to install it:
In case you ran into troubles like this:
We can fix it by editing the gemfile file from:
To:
We might also have some problems with sqlite3:
In that case we just need to install it:
And once installed, run:
Once we have that installed we should be able to run again:
On one console we run:
And on another console:
Now our payload is ready to be used, we can intercept the user update post with burp and send the payload:
Send it over to the Repeater and change the username with our payload and click send:
Now we disable burp intercept and try to go to http://jewel.htb:8080/articles , we should have a shell on our netcat:
With our user flag grabbed now it's time to some internal enumeration, looking through the files we found something interesting at /var/backups:
If we cat that file, we will be able to see two new hashes, again from jennifer and bill, they are different, let's try to crack them:
This time we could crack it really fast:
Now if we try to sudo -l we get an error:
We need a Verification code, if we enum bills folder we will see a hint towards it:
For this part there is an extension for browsers but I rather prefer Google Authenticator from the marketplace for Android.
if we cat that file
We configure our App and try sudo -l again:
And it failed, although I had it configured right... but, Google Authenticator works with the date, if we look at the machines date its off from our current date for more than one hour (this might not be your case) but if you're in a different time-zone than the box, you need to change your phones date in order to get the correct code, we do so and try again. We can also use Authenticator plugin for firefox:
We change our timedatectl if it's not the same as the box (remember to change it back later):
And also set the date to be same time as the box (which is a bit off):
If we run sudo -l now:
We can run /usr/bin/gem, if we go to GTFOBins:
