search

Cronos

hashtag
Recon

chevron-rightnmap_scan.loghashtag
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.227.211:22
Open 10.129.227.211:53
Open 10.129.227.211:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.227.211
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-26 21:25 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:25
Completed Parallel DNS resolution of 1 host. at 21:25, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:25
Scanning 10.129.227.211 [3 ports]
Discovered open port 53/tcp on 10.129.227.211
Discovered open port 80/tcp on 10.129.227.211
Discovered open port 22/tcp on 10.129.227.211
Completed Connect Scan at 21:25, 0.07s elapsed (3 total ports)
Initiating Service scan at 21:25
Scanning 3 services on 10.129.227.211
Completed Service scan at 21:25, 6.21s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.227.211.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 8.41s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.32s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Nmap scan report for 10.129.227.211
Host is up, received user-set (0.072s latency).
Scanned at 2024-11-26 21:25:38 UTC for 15s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ=
|   256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx
53/tcp open  domain  syn-ack ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.41 seconds

hashtag
DNS

└─$ dig ANY 10.129.227.211 @10.129.227.211
;; communications error to 10.129.227.211#53: timed out
;; communications error to 10.129.227.211#53: timed out
;; communications error to 10.129.227.211#53: timed out

; <<>> DiG 9.19.21-1-Debian <<>> ANY 10.129.227.211 @10.129.227.211
;; global options: +cmd
;; no servers could be reached

└─$ dig -x 10.129.227.211 @10.129.227.211

; <<>> DiG 9.19.21-1-Debian <<>> -x 10.129.227.211 @10.129.227.211
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24675
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;211.227.129.10.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
211.227.129.10.in-addr.arpa. 604800 IN  PTR     ns1.cronos.htb.

;; AUTHORITY SECTION:
129.10.in-addr.arpa.    604800  IN      NS      ns1.cronos.htb.

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 72 msec
;; SERVER: 10.129.227.211#53(10.129.227.211) (UDP)
;; WHEN: Tue Nov 26 16:26:16 EST 2024
;; MSG SIZE  rcvd: 114

└─$ dig ANY cronos.htb @10.129.227.211

; <<>> DiG 9.19.21-1-Debian <<>> ANY cronos.htb @10.129.227.211
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36564
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb.                    IN      ANY

;; ANSWER SECTION:
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 76 msec
;; SERVER: 10.129.227.211#53(10.129.227.211) (TCP)
;; WHEN: Tue Nov 26 16:31:32 EST 2024
;; MSG SIZE  rcvd: 131

hashtag
HTTP (80)

Writeup.png

Directory enumeration returns nothing

Subdomain enumeration shows other subdomains

hashtag
SQLi

Writeup-1.png

Using basic SQLi we are able to login (anything for password)

Writeup-2.png

This looked like Command Injection, so if we try basic payload it's a success.

hashtag
Command Injection

Writeup-3.png

Get reverse shell:

https://md5hashing.net/hash/md5/4f5fffa7b2340178a716e3832451e058arrow-up-right

Creds: admin:1327663704

There's only 3 users with shell access.

SSH doesn't work with credentials.

hashtag
Cronjob

There seems to be Laravel cronjob running as root every minute

hashtag
Method 1

hashtag
Method 2

Follow the docs https://laravel.com/docs/11.x/scheduling#defining-schedulesarrow-up-right

Needed code can be reduced to

Because Im on simple netcat shell I think if I use editors it may crash and kill shell at all, so I'll just use base64 to transfer the code.

hashtag
Flags

PreviousCozyHostingNextCybermonday

Last updated