β Cronos (Medium)
Lesson Learn
Report-Penetration
Vulnerable Exploit: SQL Injection and Command Injection
System Vulnerable: 10.10.10.13
Vulnerability Explanation: The web application is vulnerable to SQL Injection which could allow us to bypass the authentication. Once we get access to the application, we detect command injection and it allows us to gain initial foothold.
Privilege Escalation Vulnerability: Misconfigure on Crontab
Vulnerability Fix: Sanitize User Input
Severity: Critical
Step to Compromise the Host:
Reconnaissance
Enumeration
Port 80 Apache/2.4.18 (Ubuntu)
By going through port 80, we just found default webpage of apache. It look like misconfiguration that the IP address doesn't know what hostname it should map to. Instead just display the default webpage of apache.
Port 53 DNS
Let enumerating on DNS by using nslookup on IP address 10.10.10.13. As we now got the domain ns1.cronos.htb. Let add this to /etc/hosts.
When ever we see DNS running on TCP, we should try zone transfer. Let try a zone transfer to get a list of all hosts for cronos.htb domain. We can use host or dig for this. We can see two more subdomain www and admin.
Otherwise, we can perform bruteforce subdomain by gobuster. We found the same.
Let add those two more subdomains to /etc/hosts. Let browsing with those hostname. www.cronos.htb, admin.cronos.htb, cronos.htb.
Exploitation
First thing come to my mind when I see login page, I will perform SQL Injection to bypass auth. Let start the burp and test with default credentials admin/admin admin/password but it doesn't work.
Sending the Login request to Intruder to perform SQL Injection with a list.
As we can there are some status codes are 200 and 302. On 302 which mean it redirects to somewhere. Check the response content, it actually redirect to welcome.php page.
Let start manually inject SQL payload on login webpage with username field: ' or 1=1-- - and password field can type anything.
We are now bypass authentication and successfully login. There are 2 options on the page which are traceroute and ping. Let start perform command injection.
Command Injection
Seem like it's vulnerable to command injection because it returns ping result and user-id.
By intercept the traffic, we can see there are 2 fields that we can inject command.
Let start our netcat listener on port 4444 and inject revershell payload into command. I have executed below script but it doesn't work.
I have checked the help function of bash, we can use -c for execute command options.
Then I have tired to execute with -c option, it's working now.
To improve our shell to fully interactive (Tab to auto complete).
Privilege Escalation
Auto script php
First thing first, I always run sudo -l but it doesn't work this time. I have found crontab which set to schedule run.
By checking the file permission, seem like we have write permission. So we have 2 ways to do. First, we can modify the script and inject reverse shell into the script. Other way, copy PHP reverse shell and save it as artisan to replace existing file.
Let start inject our PHP reverse shell into existing file artisan.
Let start our netcat listener on port 1234 and wait for sometimes, our reverse shell pop up.
Last updated