Hack The Box: Cronos Write-up (#7)

Reconnaissance

Start with basic Nmap scan.

  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats

We get the back the following result:

  • Port 22: — Running OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
  • Port 53: — Running ISC Bind 9.10.3-P4, a DNS service.
  • Port 80: — Running HTTP web service Apache httpd 2.4.18.

Next, run a full Nmap scan.

  • -p-: Scan all ports from 1–65535

We get back the same result as basic Nmap scan.

There are no other ports are open. Similarly, run a UDP Nmap scan.

We get port 53 is open.

Quick Mental notes:

  1. Port 22 is running OpenSSH version 7.2p2. This version is normally running on Ubuntu xenial 16.04 LTS. It is not easy to exploit. So we put this in back banner and if required we back to this.
  2. Port 53 is running an ISC Bind service. It is actually a DNS service. We can enumerate this to find subdomains.
  3. Port 80 is running HTTP service. Web software is apache 2.4.18 it is quite a recent version. We can begin our enumeration from here.

Service Enumeration

Port 80 (HTTP Web Service)

Let’s visit the page.

This is a default page meaning there is a misconfiguration somewhere. Let’s map the IP of the host to its HTB domain name in /etc/hosts file. Save the file and exit.

Access to cronos.htb from the browser.

I accessed to all the navigation tabs and all links to the external resources which is outside the scope of the HTB.

Port 53 (Bind Service or DNS service)

Let’s perform a DNS zone transfer.

We get back additional subdomains. Update /etc/hosts file as below and save and exit:

I already tried to access all 3 subdomains and only admin.cronos.htb leads me to a simple login page built using PHP code.

Exploitation

I tried a few common weak credentials like admin:admin, admin:password, admin:root it does not seems to work.

I tried a simple SQL injection in a username field and the login was successful. It is obvious this page is vulnerable to SQL injection.

I brought to command execution page.

Let’s test for simple whoami command.

We get successful command execution. Now intercept this request in Burp Proxy and send to Repeater. When I tried for reverse shell using netcat with below command in Repeater it was not working.

Then I removed the host parameter and tried again with PHP online reverse shell with URL encoding and I received a reverse shell in Kali. If you follow the same method you will get a reverse shell.

Great! Let’s upgrade the shell to fully interactive shell with below commands:

Post Exploitation Enumeration

Run the linux-smart-enumeration script to find out possible misconfigurations or sensitive information to escalate privilege to root.

  • -l: set the level to 1 to show interesting results
  • -i: Non-interactive mode

From the result above, We can see one particular job called artisan that runs every one minute by root. A quick Google search about “schedule artisan” reveals that we can run a scheduled job by configuring job in Kernel.php file. Refer here. We also can run system command as per the documentation.

In order to run the system command, we need to edit the Kernel.php file. Run find command as below to find Kernel.php file.

Edit the file /var/www/laravel/app/Console/Kernel.php and under the “protected function schedule” function add the command as below (in bold):

Save and exit. Now, just wait for 1 min for the file to be created.

We can see the rootsh file is created and the owner of the file is root and SUID is also set. Let’s escalate the privilege to root with below command:

We rooted this box!

Let's grab the user.txt flag and root.txt flag.

Attack Strategy Map

Thank you for reading :-) Next box is Nineveh.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.