Hacking CronOS (htb)

 As usual, we start with an nmap scan - in this case, we find ports 22, 53 and 80 open.

 

 

Seeing port 53 over tcp is interesting since port 53 over udp is used to make dns inquiries. dns uses tcp port 53 for zone transfers and it is always useful to enumerate dns to widen attack surfaces - for example find subdomains to attack.



Before attempting a zone transfer, I thought I would have a go at manually enumerating dns with the intention of trying to find interesting subdomains.


I started by trying a reverse dns lookup using the dig tool. When it comes to dns records, some will have a ptr record which is where the reverse dns request looks. The ptr record just maps an ipv4 address to a domain name so we can find the domain name by specifying the ipv4 address. This is the opposite of how dns requests are usually made - usually a domain is specified and the ipv4 address is returned from the a record.


In the dig command seen in the picture below, the @ symbol lets us specify the ip address of the dns server we want to use - in this case it is the targeted box itself - whilst the -x flag indicates that we want to run a reverse lookup for the specified ip address.




The next step was to use a shell script to brute-force subdomains for the cronos.htb domain. I managed to find www.cronos.htb and admin.cronos.htb in addition to the already discovered ns1.cronos.htb




I wanted to have a look at the admin.cronos.htb subdomain so I terminated my brute-force and quickly tried a zone transfer to see if I had missed anything, but this only showed what I had already discovered using manual techniques.




Okay - time to have a look at that admin.cronos.htb subdomain!




It was time to fire up burpsuite to have a go at getting access via this login page. I started by trying a simple sqli authentication bypass payload in the password field - this didn't work so I tried it on the username field and found success.




The /welcome page shows a tool which appears to execute commands on the system - command injection seemed a very likely next step.





The simple trick of using ; followed by a system command worked and it was now just a matter of finding the right reverse shell to use. I tried a couple which didn't work, but eventually found one that did - it can be found @ pentestmonkey under the netcat ones.




This worked and I then just upgraded my shell...






Whilst enumerating user information, I found one new non-service user called noulis Oddly, we can access their home folder and read the user.txt flag without having to perform any lateral movement.






The priv esc on this machine is strongly hinted at in its title. I decided to start by enumerating the cronjobs.

Linux implements task scheduling via a utility called cron. This is used by administrators to automate repetitive tasks such as backing up directories on a specified schedule.

Cron can run applications, scripts and other commands. These cron jobs can be configured to run on varying time schedules using the cron utility.

There is a file called crontab - this is a configuration file which is used by the cron utility to store and track the established cron jobs. We can access this in various ways. When I had a look at the crontab on the cronos machine, I saw an interesting cronjob running as root...




There are various ways to exploit misconfigured cronjobs - the way we use will depend on the context of the system we have compromised.

On this box, we need to overwrite the file which is being executed under root privileges by the cronjob just discovered. This file is found @ /var/www/laravel/artisan - it is a php script.

The way we know that we can overwrite it to elevate our privileges is by looking at the file's permissions - we see that the www-data user can write to it!





This is a serious misconfiguration - somebody has set a file which can be written to by a low privileged user to execute under root permissions via the cron utility.

The php reverse shell script which I used to overwrite the original file can be found @ php reverse shell

I copied the raw version into a .txt file on my attacking machine and then transferred it to the /tmp directory on the victim machine via a python http simple server.

Once the malicious file was on the victim machine, I made it executable using chmod




It was now the simple matter of overwriting the original file which was being executed every minute as a cronjob with the malicious php reverse shell and then opening a new netcat listener on my attacking box using port 4445




With the box now pwned, I thought I would use a cronjob to set up persistence on the machine. This is useful just in case something happens to mess up our original way to compromise a machine.




One more thing I wanted to check was whether I could find the original vulnerable cronjob without looking at the crontab This is because the crontab does not always show us all of the running cronjobs - we might not see cronjobs running as different users to the one which we have compromised the machine with.

A useful utility to do this is pspy

This tool lets us see running processes and it will show us cronjobs which are running as different users.

The static binaries are good, but if they are too big we can try the small versions which have an s at the end of their names.

Once I had transferred the pspy64 binary to the victim machine and made it executable using chmod I executed it and then watched the processes. It became clear that two cronjobs were running - this is because they appeared every minute.

Of course, these cronjobs were the original one and the one I set up for priv esc.

The good thing is they could be seen even though I was on the machine as www-data and they were set up under the root user.




I enjoyed hacking the CronOS box as it gave me a good opportunity to practice enumerating a linux machine and exploit a cronjob file overwrite vulnerability.

Thanks for reading my writeup of it - I hope it was of some use!

And thanks to ch4p for creating it!


puzz00




 

 

Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more