HackTheBox Writeup — Jewel
Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.
The IP of this box is 10.10.10.211
Port Scan
Running NMAP full port scan on it , we get
We have 3 Open Ports , Port 22 running SSH and Port 8000 and 8080 running Web service Apache and nginx respectively
Way To User
Checking the lower web port first, we see that it is a blog page and currently nothing much interesting here
Checking the other web port, we have a git repository of the Blog page
We can download the repo using the snapshot option and get the repository of the blog web and inside this repo we get the version of the Rails which is being used and checking on Google about it , it is known that it is vulnerable
We now use the exploit available to get a reverse shell
Running the ruby script gives us the payload which will be used in the blog website to exploit
We first have to register a user
Now login with the registered user
Now we intercept the request of the Profile page where we update the username
Now we put our payload in the user[username] parameter as its the vulnerable parameter
Now checking back the netcat listener, we have our reverse shell successful
We get user user flag in the user’s home directory
Way To Root
Running Linpeas script, we see that there is a file containing hashes in /var/backups/dump_2020–08–27.sql file
Checking the file, we have 2 hashes which we then move on cracking using hashcat
One of the hashes was cracked successfully which was the hash for user bill which we currently have shell as
Trying to run the sudo -l command and then putting the password, it prompts us for a verification code
Checking the home directory of the user bill, we see that there is a hidden file named google_authenticator which is a file generated from a tool named Google Authenticator which is a 2FA software
We have the secret key which can use on Google Authenticator app and get the verification code, for this I installed the app on my android phone and got the verification code
Now we can see that we can use /usr/bin/gem as sudo with the current user and taking reference from GTFOBins , we can get root