Blog Image
Category :
Cybersecurity

Published on :Jan 18, 2021

Overview

In this machine we take advantage of heavy enumeration leading to a command injection vulnerability into a reverse shell. Overall it was a pretty fun bot, learned a lot. As always (mostly always) we're going to be tackling this machine without metasploit.

Enumeration

We can assign the IP address to an environment variabble, making it easier to use later.

IP=10.10.10.13

We begin enumeration with an nmap scan.

nmap -sV -A -p- -T4 -Pn $IP --max-retries=1 -oA nmap

From the nmap scan we can see the following ports are open:

  • 22 - ssh
  • 53 - domain
  • 80 - http

cronos nmap

Webpage

We start by navigating to the webpage on port 80, and are met with an Apache2 default page that doesn't really get us anywhere. A gobuster scan for other pages yields no results either, so let's keep it moving.

apache webpage

DNS Enumeration

With port 53 being up, we can potentially get some DNS information. We will be using the dig command to accomplish this.

dig -x 10.10.10.13 @10.10.10.13

We notice that the cronos.htb domain is available from the results of dig.

dig results

By navigating to the /etc/hosts file, we can update the domain to map to our address. Note: Use tab to space the content

etc hosts

Cronos Webpage

Now we can navigate to cronos.htb in our browser and Viola✨ there's our page. It's super simple so we click through all of the links and don't find anything of importance that'll get us a foothold.

cronos webbpage

Subdomain Enumeration

Another gobuster scan on the cronos page didn't give us anything tha twe didn't already have. So, next thing to try is check if some subdomains are available that we can get to. We use the host command, which is another DNS lookup command that gives us more information about the domain (looking back, we probably could've just used this the first time too).

We can add all of these to our hosts file as well by adding a single space between the domains.

10.10.10.13     cronos.htb admin.cronos.htb ns1.cronos.htb www.cronos.htb

cronos subdomains

We navigate to each of these subdomains and admin.cronos.htb gives us a login page, which we will try to bypass.

Exploit

When I see a login page, first thing I think about are brute force, SQLi, and XSS. Since brute forcing takes the longest, we'll go ahead and fire up an Intruder on Burp with common admin credentials including the name of the box as the username, and a common passwords file for the password.

While that runs I take a stab at SQLi. One of the most common injections is admin' or 1=1 -- - . It sends the query to login as admin or 1=1, which is always true, then comments out the rest of the code that the backend uses for authentication.

This gets us in successfully and we see this Net Tool v0.1 page, which looks to let us run ping and traceroute commands.

net tool

If we append a "&" to the end of the ping command, we can execute commands. We test this with ls -al and see that it works! Time to get malicious.

command injection

We use this to upload a php reverse shell by setting up a web server on our attacking machine to grab the file. We also set up a listener on our attacking machine to get a connection to the shell once the reverse shell is executed.

If you need help with this, check out my writeup on the Bashed box.

command shell

Privilege Escalation

Usually, we start out with running sudo -l, but that doesn't work. Instead what we need to do is download linux smart enumeration. We add this to our attacking machine, then use wget on the target to bring it over in the /tmp/ directory.

After bringing over the "lse.sh" file, run chmod +x lse.sh in the target machine then ./lse.sh get get it up and running!

What LSE does for us is enumerate the system for any vulnerabilities that we can use to escalate our privileges... or vulnerabilities to patch if you're on the other end.

lse scan

We found a cron job that runs every minute, as shown by the * * * * *. The command that it runs is php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1. Let's break it down lse scan

  • /var/www/laravel/artisan - the php code that the command is running
  • schedule:run - signifies a task scheduler for laravel
  • /dev/null 2>&1 - redirects standard output to /dev/null

We upload a php reverse shell ot the target machine and rename it to "artisan", so that the cronjob runs our reverse shell as root.

Lastly, we set up another netcat listner on the attacker machine.

lse scan

We're in ✅