Certified Defensive Security Analyst by Academy. Get started now!
Jewel is a medium difficulty Linux machine that features source code analysis of a Ruby on Rails web application. This reveals an unsafe use of RedisCacheStore (CVE-2020-8165), which is leveraged to get RCE. After archiving a foothold, we get command execution in the context of the unprivileged user `bill`. This user is allowed to run the `gem` command as root, but requires two-factor authentication to do so. In order to get around 2FA, we search for and find bill's password, and can then use the Google Authenticator utility to generate an OTP for sudo, in order to execute commands as root.