Timing - [HTB]

Cover Image for Timing - [HTB]
Marmeus
Marmeus

Introduction

Timing is a medium Linux machine from HackTheBox where you will have to find an LFI in order to analyse the web source code, finding a programmer failure that will allow you to upload a web shell. Then, enumerating the machines, you will find a git repository with different credentials on its versions. Finally, you will have to use symbolic links in order to overwrite the root's authorised keys file.

Enumeration

Let's start scanning all opened ports in the box with Nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

Having a look at the web page and its source code, there is nothing is interesting.

Timing web page

Furthermore, enumerating files, we can see that image.php is the only file with size 0 and doesn't redirect us to the login page. Maybe, it requires a parameter to show information.

With Ffuz we can obtain the required parameter img.

Trying to access the URL appears an alert.

This can be easily bypassed by using the php filter.

Using "aaron" as username and password we can access the web page.

Aaron credentials

As we can see we are logged as user 2, but the only thing we can do is edit our profile.

Edit profile

Exploitation 1

Using the LFI in order to analyse the web source code, we can see that in the file profile_update.php we can update our role which didn't appear in the profile form.

Looking further we can see that in the file upload.php appears and admin_auth_check.php.

This file is checking if we have set our role to 1.

To update our role, we only need to intercept "Edit profile" request and add role=1 at the end.

Now, we can upload the images.

image-20211224130808218

Exploitation 2

However, we do not have access to the /images/uploads/ directory, so we need to know the exact name to access it.

If we keep analysing the upload.php code meticulously, we can see the md5 parameters. The variable $file_hash is between single quotes so that PHP will interpret that as a string, not a variable. Hence, the md5 will always be a combination of "$file_hash" + <TIMESTAMP>.

Furthermore, the code only checks the file's extension, so we can upload PHP code with the jpg extension that will later be interpreted thanks to the LFI.

Because the Apache server sends its date in the response headers, we can create a python script that will upload a file and then brute force the filename thanks to the response time to obtain the URL of our file.

Note: Do not forget to change your PHPSESSID.

Once executed the script, we obtain where our web shell is located.

However, at first glance, it doesn't execute.

So, we need to use the LFI to make it work.

Because some iptables rules reject all traffic for the apache user (You know that once you have become root on the machine), we can not create reverse shells, and the enumeration must be through the web shell.

There is a backup file /opt/source-files-backup.zip that we can download with the following commands.

Because it has a .git folder we can enumerate its commits, discovering the database's password differs from the init commit and using the latter we can log in as aaron through SSH, obtaining the user flag.

Privilege Escalation

Aaron is able to execute a bash script as root which executes a .jar file that we can not analyse because is under the root directory.

Using the HTTP options it downloads and saves the file as root.

Hence, if we create a symbolic link to the root's authorized keys it will overwrite it.

In order to make it work, create an SSH key pair and start a web server.

Then access to the public key using the netutils tools.

Finally, once downloaded you will be able to access the machine as root.