bikupothen1615

Feb 24, 20223 min read

Timing

A Hack The Box machine..!!!

Timing is a Hack The Box machine, which runs on the Apache web server. The machine has LFI vulnerability. Machine mainly contains two flags user flag and root flag. We use burp suit to intercept many requests and inject them with our malicious payload to get credentials and several files. Reading the /etc/passwd we got default credentials. After login it has an edit profile menu which gave access to the admi profile which allows us to upload image, by enumerating the server directory we find backup file int the /opt directory which contains a git repository and by enumerating we find ssh password to access the machine. We use netutils to overwrite the authorized keys and get rooted.

Step 1: We start with reconnaissance. In order for that we scan the IP address for any open ports using the Nmap tool.

After the nmap scan we found port 22 and 80 are open. After analyzing the can result an interesting fact was found the server was running on Apache/2.4.29(ubuntu). So after a little bit of research, it was found the particular Apache version has a vulnerability known as LFI.

Step2: For finding hidden directory we run Gobuster scan

During the scan we found above directory lists.

When running the images directory in the URL we found a blank page. So using the burp suit we intercept the request using the payload /etc/passwd and the resulting response has an message “ Hacking attempt detected”. So, we conclude that this particular page is vulnerable.

Step3: Since the page is LFI vulnerable we use another payload for file inclusion

“php://filter/convert.base64-encode/resource=/etc/passwd”

We intercept the request and used our payload to the check the response and find a base64 encoded data. Through further decoding we find user login credentials.

By using the above payload, we try to get some php codes that were used in the webpage. All the data were base64 encoded.

Following is the login page of our timing machine.

Step4: So using our decoded credentials we just login to the site aaron:aaron

Step5: Since we had no much options, we just check the edit profile page and found an update button, so we are switching to admin

Using burp suit we intercept update button request and change the user role to admin in order to get an admin panel.

Inside admin panel we got a upload box.

While checking upload.php file we found that only jpg extension can be uploaded, along that each file will be stored with there corresponding upload time in hash format, in order to bypass this, we follow few steps:

Step6: First we create our payload to upload in jpg format.

Step7: Create a php interactive mode to run a script to generate hash format for every second. So, by using burp suit intercept the upload request and check the response time to get the correct hash.

In the above picture hash for each second is generated. In the below picture upload request was intercepted and in response the upload time is “06:02:43”.

So the hash for that particular time is

Cat.jpg was successfully uploaded.

Step8: Using the previously found hash we created a URL bypass function to trigger the error, and the following result was found.

Step9: When we check opt directory, we found a file named source-files-backup.zip. To download the file, we need to copy the file to root of the web server “cp /opt source-files-backup.zip /var/www/html”download it using the wget command. Since the file is in zip format unzip the file.

Step10: Downloading the file.

By unzipping we found that the file contains git repository. So by using git show command we got the password.

Step11:

Step12: Since the ssh port was open we take ssh connection and got user flag.

Next step is to get root flag. For that we need root permission. For privilege escalation we run the command sudo -l and got the following result. Since netutils is found we can exploit it.

Step13: