HackTheBox Writeup — Jewel

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is 10.10.10.211

Port Scan

We have 3 Open Ports , Port 22 running SSH and Port 8000 and 8080 running Web service Apache and nginx respectively

Way To User

Checking the other web port, we have a git repository of the Blog page

We can download the repo using the snapshot option and get the repository of the blog web and inside this repo we get the version of the Rails which is being used and checking on Google about it , it is known that it is vulnerable

We now use the exploit available to get a reverse shell

Running the ruby script gives us the payload which will be used in the blog website to exploit

We first have to register a user

Now login with the registered user

Now we intercept the request of the Profile page where we update the username

Now we put our payload in the user[username] parameter as its the vulnerable parameter

Now checking back the netcat listener, we have our reverse shell successful

We get user user flag in the user’s home directory

Way To Root

Checking the file, we have 2 hashes which we then move on cracking using hashcat

One of the hashes was cracked successfully which was the hash for user bill which we currently have shell as

Trying to run the sudo -l command and then putting the password, it prompts us for a verification code

Checking the home directory of the user bill, we see that there is a hidden file named google_authenticator which is a file generated from a tool named Google Authenticator which is a 2FA software

We have the secret key which can use on Google Authenticator app and get the verification code, for this I installed the app on my android phone and got the verification code

Now we can see that we can use /usr/bin/gem as sudo with the current user and taking reference from GTFOBins , we can get root

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover