Challenge Info

Get the current date and time, anytime, anywhere!

Solution

For this challenge we have a downloadable part as well. This zip file contains the source code of the website.

When we visit the website we're greeted with the following:

Looking through the source code we find a file called TimeController.php and TimeModel.php.

TimeController.php

<?php
class TimeController
{
    public function index($router)
    {
        $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
        $time = new TimeModel($format);
        return $router->view('index', ['time' => $time->getTime()]);
    }
}

We see that the website accepts a GET parameter called format. And that the contents of this parameter is sent to TimeModel.

TimeModel.php

<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->command = "date '+" . $format . "' 2>&1";
        echo $this->command;
    }

    public function getTime()
    {
        $time = exec($this->command);
        $res  = isset($time) ? $time : '?';
        return $res;
    }
}

The GET parameter, which we control, eventually is sent to exec() with no form for input sanitization.
This is a classic command injection vulnerability.

By sending the following GET parameter, we can easily get the flag: ';cat /flag'

Flag: HTB{tim3_t4lks...4nd_1t_s4ys_1ts_t1m3_t0_PWN!!!}