# HTB - Cronos ![Cronos](/files/-M4w4acGzi5lCxC-9LgT) ## Getting Root 1. We execute a zone transfer using dig and got a virtual host to the admin page which is vulnerable to SQL injection. 2. Once logged in, we send the request through Burp and we can get command execution from a tool that performs **ping** and **traceroute.** Got reverse shell using python 3. We notice that root executes a php script every minute, and this script is owned by our user www-data. Replacing the php script with our code, and we get root ### Tools used: **`nmap, dig, burp`** ## Nmap ```bash # Nmap 7.80 scan initiated Tue Apr 14 22:04:44 2020 as: nmap -sC -sV -p 22,53,80 -oA nmap/cronos_all 10.10.10.13 Nmap scan report for 10.10.10.13 Host is up (0.056s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 14 22:04:59 2020 -- 1 IP address (1 host up) scanned in 15.48 seconds ``` ## Enumeration ### DNS ```bash # dig cronos.htb @10.10.10.13 ; <<>> DiG 9.11.16-2-Debian <<>> cronos.htb @10.10.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12057 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;cronos.htb. IN A ;; ANSWER SECTION: cronos.htb. 604800 IN A 10.10.10.13 ;; AUTHORITY SECTION: cronos.htb. 604800 IN NS ns1.cronos.htb. ;; ADDITIONAL SECTION: ns1.cronos.htb. 604800 IN A 10.10.10.13 ;; Query time: 55 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Tue Apr 14 22:25:48 EDT 2020 ;; MSG SIZE rcvd: 89 ``` #### Zone transfer ```bash # dig axfr cronos.htb @10.10.10.13 ; <<>> DiG 9.11.16-2-Debian <<>> axfr cronos.htb @10.10.10.13 ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 56 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Tue Apr 14 22:30:14 EDT 2020 ;; XFR size: 7 records (messages 1, bytes 203) ``` The interesting part here is **`admin.cronos.htb`** ### HTTP On the the admin page, we tried guessing a few usernames and passwords but got nothing. However when we tried a few SQLi I was able to login using the following:\ \ Username: **`admin' #`**\ Password: **admin** ![](/files/-M4w5pDs9qY4ZSlveFs6) Once logged in, we are redirected to this tool which allows us to **ping** and **traceroute** ![](/files/-M4w6Tw4us9CGZ5XezEK) A simple test shows that we can ping our box ![](/files/-M4w6ukEp7paBV3XlEuu) On our Kali box, we can see the icmp packets. ```bash tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 00:35:40.334101 IP 10.10.10.13 > 10.10.14.38: ICMP echo request, id 31905, seq 1, length 64 00:35:40.334126 IP 10.10.14.38 > 10.10.10.13: ICMP echo reply, id 31905, seq 1, length 64 ``` ## Exploit We send this ping request to Burp and notice we got command execution #### Request ![](/files/-M4w7Raf6c73qjU2W53Z) #### Response ![](/files/-M4w7aE0JhgVCr-qF4ff) Using a python reverse shell as the payload and we get a shell as user **www-data** ![](/files/-M4w7plGThCqcwhIo1_r) ```bash www-data@cronos:/var/www$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@cronos:/var/www$ ``` ## Privilege Escalation Doing some enumeration on the box with **linpeas.sh** and the following jumped out. ![](/files/-M4w8fnOcM3mMgrA_dt0) The file is owned by our user and its executed by root. With that info, we replaced **artisan** with a reverse php script and we get a shell as root. ```bash Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9008 Ncat: Listening on 0.0.0.0:9008 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:33386. Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 07:25:01 up 2:34, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=0(root) gid=0(root) groups=0(root) /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-cronos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.