Machine Synopsis

Timing is a Medium difficulty Linux machine that features an Apache web server running on port 80. A login page on the server is found to be vulnerable to a Side Channel Enumeration attack that allows us to identify valid users. The username `aaron` is identified through the enumeration attack, as well as their password. Upon successful login a profile settings page can be used to increase the privileges of user Aaron by setting the initially hidden `role` parameter. The administrative panel allows users to upload avatars for their account. A JavaScript file found in the HTML source code is used to identify a Local File Inclusion vulnerability that is present in the `images.php` file. This vulnerability can be used to read the source code of the web application files and specifically the mechanism that handles the avatar uploads. This mechanism uses a pseudo random calculation that takes into account the current time in order to randomise the names of the files that are uploaded so that users cannot find them. By brute forcing this mechanism a JPG file that contains PHP code can be uploaded and identified on the server. This combined with the LFI is used to get Remote Code Execution on the remote system. Lateral Movement is achieved by identifying a backup of the web files that contain a Git repository, in a previous commit of which valid SSH credentials are found. Finally, privileges are escalated by abusing a script that the user can run as root via Sudo, that uses the Axel command line utility to download files from the internet. An Axel configuration file is placed in the user's home directory that instructs the utility to place a downloaded file in the SSH directory of the root user thus granting SSH access as root.