Thursday, March 21, 2019

Cronos


CRONOS 

- Layout for this exercise:




1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine CronOS, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu



2 - ENUMERATION

CronOS' IP is 10.10.10.13:




- Scanning with Nmap there are 3 open ports 22, 53 and 80:




- Scanning deeper:





- Transferring DNS zone with dig:




- Adding cronos.htb and admin.cronos.htb to /etc/hosts:




- Connecting with the browser to cronos.htb





- For 
admin.cronos.htb there is a login form:




3 - EXPLOITATION

- Trying a very simple SQL injection the attack is successful:




- After authentication with the SQL injection we find a Net Tool application to perform networking commands:





- For instance let's try ping, pwd, id, ls -la, cat /etc/passwd, cat config.php:























- The last screenshot shows credentials for database admin, however we were not successful when trying to connect to the database, so it is a dead end vector attack.


 - Msfconsole provides the module web_delivery to get a remote Meterpreter session:










- Setting options:




- Now the exploit is ready to be run:




- Executing the exploit a PHP command is provided to be run on the target machine:




- Copying and pasting the command at the Net Tool application:




- After clicking Execute! a successful Meterpreter session is achieved at Kali:







4 - READING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- Checking the existence of any crontab job we find artisan:




- Reading artisan:




- Downloading artisan to Kali:







- Copying to a local folder the webshell php-reverse-shell.php:



- Adapting the webshell to our needs:






- Copying content of the webshell to artisan:




- Now, setting a Netcat listening session at port 5555:




- Uploading artisan (the new modified file) from Kali to Cronos:




- After a while (the moment the crontab task is performed) a remote root shell is achieved:





6 - READING THE 2nd FLAG

- Reading root.txt: