Open in app

Sign in

Write

Sign in

HackTheBox Writeup — Jewel

Faisal Husaini
4 min readFeb 13, 2021

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is 10.10.10.211

Port Scan

Running NMAP full port scan on it , we get

We have 3 Open Ports , Port 22 running SSH and Port 8000 and 8080 running Web service Apache and nginx respectively

Way To User

Checking the lower web port first, we see that it is a blog page and currently nothing much interesting here

Checking the other web port, we have a git repository of the Blog page

We can download the repo using the snapshot option and get the repository of the blog web and inside this repo we get the version of the Rails which is being used and checking on Google about it , it is known that it is vulnerable

We now use the exploit available to get a reverse shell

Running the ruby script gives us the payload which will be used in the blog website to exploit

We first have to register a user

Now login with the registered user

Now we intercept the request of the Profile page where we update the username

Now we put our payload in the user[username] parameter as its the vulnerable parameter

Now checking back the netcat listener, we have our reverse shell successful

We get user user flag in the user’s home directory

Way To Root

Running Linpeas script, we see that there is a file containing hashes in /var/backups/dump_2020–08–27.sql file

Checking the file, we have 2 hashes which we then move on cracking using hashcat

One of the hashes was cracked successfully which was the hash for user bill which we currently have shell as

Trying to run the sudo -l command and then putting the password, it prompts us for a verification code

Checking the home directory of the user bill, we see that there is a hidden file named google_authenticator which is a file generated from a tool named Google Authenticator which is a 2FA software

We have the secret key which can use on Google Authenticator app and get the verification code, for this I installed the app on my android phone and got the verification code

Now we can see that we can use /usr/bin/gem as sudo with the current user and taking reference from GTFOBins , we can get root

References

gem | GTFOBins

It can be used to break out from restricted environments by spawning an interactive system shell. This requires the…

gtfobins.github.io

Hackthebox
Ctf
Hacking
Penetration Testing
Infosec

--

--

Faisal Husaini

Written by Faisal Husaini

711 Followers

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams