---
title: "Hack The Box Business CTF 2021: Time"
pubDatetime: 2021-07-25T19:09:10.000Z
tags: ["hackthebox", "writeup"]
description: "Writeup of the web challenge called Time from HackTheBox Business CTF 2021"
---
# Challenge Info

Get the current date and time, anytime, anywhere!

# Solution

For this challenge we have a downloadable part as well. This zip file contains the source code of the website.

When we visit the website we're greeted with the following:

![](/images/2021/07/image-40.png)

Looking through the source code we find a file called `TimeController.php` and `TimeModel.php`.

## TimeController.php

```php
<?php
class TimeController
{
    public function index($router)
    {
        $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
        $time = new TimeModel($format);
        return $router->view('index', ['time' => $time->getTime()]);
    }
}
```

We see that the website accepts a GET parameter called `format`. And that the contents of this parameter is sent to `TimeModel`.

## TimeModel.php

```php
<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->command = "date '+" . $format . "' 2>&1";
        echo $this->command;
    }

    public function getTime()
    {
        $time = exec($this->command);
        $res  = isset($time) ? $time : '?';
        return $res;
    }
}
```

The GET parameter, which we control, eventually is sent to exec() with no form for input sanitization.  
This is a classic command injection vulnerability.

By sending the following GET parameter, we can easily get the flag: `';cat /flag'`

![](/images/2021/07/image-41.png)

Flag: `HTB{tim3_t4lks...4nd_1t_s4ys_1ts_t1m3_t0_PWN!!!}`