top of page
Search

Timing

  • Writer: bikupothen1615
    bikupothen1615
  • Feb 24, 2022
  • 3 min read

A Hack The Box machine..!!!


Timing is a Hack The Box machine, which runs on the Apache web server. The machine has LFI vulnerability. Machine mainly contains two flags user flag and root flag. We use burp suit to intercept many requests and inject them with our malicious payload to get credentials and several files. Reading the /etc/passwd we got default credentials. After login it has an edit profile menu which gave access to the admi profile which allows us to upload image, by enumerating the server directory we find backup file int the /opt directory which contains a git repository and by enumerating we find ssh password to access the machine. We use netutils to overwrite the authorized keys and get rooted.



ree

Step 1: We start with reconnaissance. In order for that we scan the IP address for any open ports using the Nmap tool.

ree

After the nmap scan we found port 22 and 80 are open. After analyzing the can result an interesting fact was found the server was running on Apache/2.4.29(ubuntu). So after a little bit of research, it was found the particular Apache version has a vulnerability known as LFI.


Step2: For finding hidden directory we run Gobuster scan

ree

During the scan we found above directory lists.

When running the images directory in the URL we found a blank page. So using the burp suit we intercept the request using the payload /etc/passwd and the resulting response has an message “ Hacking attempt detected”. So, we conclude that this particular page is vulnerable.


ree

Step3: Since the page is LFI vulnerable we use another payload for file inclusion

“php://filter/convert.base64-encode/resource=/etc/passwd”

ree

We intercept the request and used our payload to the check the response and find a base64 encoded data. Through further decoding we find user login credentials.


ree

By using the above payload, we try to get some php codes that were used in the webpage. All the data were base64 encoded.


ree

ree


ree


Following is the login page of our timing machine.

ree

Step4: So using our decoded credentials we just login to the site aaron:aaron


ree

Step5: Since we had no much options, we just check the edit profile page and found an update button, so we are switching to admin


ree

Using burp suit we intercept update button request and change the user role to admin in order to get an admin panel.

ree


ree

Inside admin panel we got a upload box.

ree

While checking upload.php file we found that only jpg extension can be uploaded, along that each file will be stored with there corresponding upload time in hash format, in order to bypass this, we follow few steps:

ree

Step6: First we create our payload to upload in jpg format.

ree

Step7: Create a php interactive mode to run a script to generate hash format for every second. So, by using burp suit intercept the upload request and check the response time to get the correct hash.

ree

In the above picture hash for each second is generated. In the below picture upload request was intercepted and in response the upload time is “06:02:43”.

ree

So the hash for that particular time is

ree

Cat.jpg was successfully uploaded.

ree

Step8: Using the previously found hash we created a URL bypass function to trigger the error, and the following result was found.

ree

Step9: When we check opt directory, we found a file named source-files-backup.zip. To download the file, we need to copy the file to root of the web server “cp /opt source-files-backup.zip /var/www/html”download it using the wget command. Since the file is in zip format unzip the file.


Step10: Downloading the file.

ree

ree

By unzipping we found that the file contains git repository. So by using git show command we got the password.


Step11:

ree

Step12: Since the ssh port was open we take ssh connection and got user flag.

ree

ree

Next step is to get root flag. For that we need root permission. For privilege escalation we run the command sudo -l and got the following result. Since netutils is found we can exploit it.


Step13:

ree

Step14: We need to create a soft link in timing machine.

ree

Step15: Create a ssh key in our local machine and rename the generated ssh key into new filename keys in /root/.ssh

ree

ree

Step16: Open a python server to upload the file into timing machine using the netutils.

ree

Step17: Use the command sudo /usr/bin/netutils to get the file.

ree

Step18: Now take another ssh connection using the ssh key id_rsa. We will be logged in as root in timing.

ree

Finally, we got the root flag.!!!





 
 
 

Recent Posts

See All

1 Comment


antumerin
Feb 24, 2022

Good work...!! Keep going...!!

Like
bottom of page