HackTheBox Writeup — Jewel

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is

Port Scan

Running NMAP full port scan on it , we get

We have 3 Open Ports , Port 22 running SSH and Port 8000 and 8080 running Web service Apache and nginx respectively

Way To User

Checking the lower web port first, we see that it is a blog page and currently nothing much interesting here

Checking the other web port, we have a git repository of the Blog page

We can download the repo using the snapshot option and get the repository of the blog web and inside this repo we get the version of the Rails which is being used and checking on Google about it , it is known that it is vulnerable

We now use the exploit available to get a reverse shell

Running the ruby script gives us the payload which will be used in the blog website to exploit

We first have to register a user

Now login with the registered user

Now we intercept the request of the Profile page where we update the username

Now we put our payload in the user[username] parameter as its the vulnerable parameter

Now checking back the netcat listener, we have our reverse shell successful

We get user user flag in the user’s home directory

Way To Root

Running Linpeas script, we see that there is a file containing hashes in /var/backups/dump_2020–08–27.sql file

Checking the file, we have 2 hashes which we then move on cracking using hashcat

One of the hashes was cracked successfully which was the hash for user bill which we currently have shell as

Trying to run the sudo -l command and then putting the password, it prompts us for a verification code

Checking the home directory of the user bill, we see that there is a hidden file named google_authenticator which is a file generated from a tool named Google Authenticator which is a 2FA software

We have the secret key which can use on Google Authenticator app and get the verification code, for this I installed the app on my android phone and got the verification code

Now we can see that we can use /usr/bin/gem as sudo with the current user and taking reference from GTFOBins , we can get root


Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store