HackTheBox — Cronos Writeup
Cronos is a Medium rated Oscp like linux box on hacktbebox.It is pretty starightforward and as you can expect we privilege escalate using cronjob.
ENUMERATION
We find a default apache webpage on port 80. Port 53 seems to run DNS.I hit a dead end here and was unable to find anything until i referred ippsec’s video where i found out that we need to add cronos.htb in our /etc/hosts directory of our kali.
Now if we visit cronos.htb in our browser, we will be able to find the homepage of cronos.
NSLOOKUP & DIG for Domain Enumeration
we use nslookup for domain enumeration.
USAGE-> server <target-ip> and then enter the target ip which will reveal cronos.htb (which we need to add to the /etc/hosts of our kali)
DIG
We will now check for zone transfer using DIG command. DNS zone transfer, also known as DNS query type AXFR, is a process by which a DNS server passes a copy of part of its database to another DNS server. The portion of the database that is replicated is known as a zone.
USAGE- dig axfr @<DNS_IP> <DOMAIN>
#this will Try zone transfer guessing the domain
We discover multiple new domains such as admin.cronos.htb , ns1.cronos.htb and etc…
We will have to add all of them to our /etc/hosts.
Most of the domains redirect us to a site out of scope however the admin domain is useful as it contains a login panel.
We can try using default credentials and also Blind SQL Injection however it doesnt work.
FINDING THE HIDDEN /welcome.php directory
There are 2 ways to do so.You can either run gobuster on the admin.cronos.htb webpage searching for .php extensions using the -x syntax of gobuster
The second way is using sqlmap which is out of scope for oscp.(I found this in ippsec’s walkthrough). Use admin admin and intercept the request using burp.
Now copy the request and paste it in a file called login.req and run sqlmap on it.
usage- sqlmap -r login.req
In case of prompts, comtinue with Y(yes) and we will discover welcome.php as highlighted below
On welcome.php it seems like we can try command injection in the very first look.
I try pinging the target and using &(and) to run two commands together and it successfully runs “whoami” command which enusres that it is vulnerable to command injection. We can simply replace the whoami command with something malicious such as reverse shell.
We can try a few reverse shells however the netcat’s tmp/f;mkfifo is the only one which seems to run.
Now lets transfer linpeas.sh to our target.We start a simplehttp server on our kali’s port 9999 to host the file
and download it on our target using wget command, give it executable permission using chmod +x and finally run linpeas.sh
PRIVILEGE ESCALATION- CRON JOB
linpeas gives us a critical result in yellow red that there is a cronjob.The file artisan located in /var/www/laravel seems to run ever minute.The same finding can be found by using pspy tool which shown hidden processes abd cron jobs.
Moreover we have read write and execute(-rwx) (full permission) on the artisan file and it is owned by us (www-data). we find this using ls -la command on the file as shown below
If we read the artisan file it seems like a php file as it starts with <?php and even the first line denotes this.Also if you remember the linpeas result, the file was run by php command.
All we have to do is make a file called artisan in our kali.And inside it we will put a php reverse shell which you can get here(https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)
Now just transfer this file in the /var/www/laravel directory of our target.What this will do is run our artisan file since it lies in the same location and it automatically runs as a cronjob every minute.Pretty straight forward and i hope you can do it :)
Make sure to follow me here for more OSCP like writeups.
Until next time. . .
-ZEUS
