Cronos CTF Writeup
Table of Contents
ToggleThis is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Cronos CTF from HackTheBox.
Cronos CTF
Cronos CTF focuses mainly on different vectors for enumeration and also emphasizes the risks associated with adding world-writable files to the root crontab.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Executive Summary
Introduction
This Pentest report documents the security assessment conducted on the IP address 10.10.10.13. The assessment aimed to identify vulnerabilities that could be exploited to compromise the security of the target infrastructure.
Objective
The objective of this security assessment was to identify and exploit vulnerabilities in the Cronos CTF's infrastructure to evaluate existing security measures and provide recommendations to mitigate the identified risks.
Requirements
- Identify vulnerabilities in the web application hosted at IP address 10.10.10.13.
- Exploit critical and moderate vulnerabilities to assess potential exposure to attacks.
- Evaluate the possibility of unauthorized access to systems and data.
High-Level Summary of Found Vulnerabilities
DNS Enumeration
- Zone Transfer (Moderate): A DNS Zone Transfer attack on 10.10.10.13 (cronos.htb) allowed the retrieval of domain name information, potentially spreading the attack vector. To mitigate this, restrict DNS Zone Transfers to authorized IP addresses and modify the DNS server configuration (BIND) to limit Zone Transfer permissions.
Web Server Enumeration
admin.cronos.htb - SQL Injection (High): A SQL injection vulnerability in
admin.cronos.htb
enabled the extraction of sensitive information from the database. Remediation involves implementing input validation and parameterized queries to prevent such attacks and setting up logging to detect and respond to potential attacks in real-time.admin.cronos.htb - Authentication Bypass (High): By using a SQL injection payload, the authentication mechanism at
admin.cronos.htb
could be bypassed, allowing login as 'admin' without a valid password. To fix this, address the SQL injection vulnerability mentioned above.Initial Access - Command Injection (High): After logging in as admin without a valid password (using the Authentication Bypass above), a remote attacker can inject OS commands through the Net Tool v0.1 panel. Mitigation includes patching SQL injection vulnerabilities and implementing correct user authentication. Thoroughly validate and sanitize user input to prevent command injection attacks.
Post Exploitation
Database Credentials: Database user credentials were extracted from the file
config.php
after obtaining a foothold on the machine. To improve security, store credentials securely using encryption or hashing, and regularly rotate and update database credentials.LPE to root (Local Privilege Escalation to root): An active crontab was abused to run as the root user every minute. This crontab executed PHP on Laravel's 'artisan' file, owned by the low-privileged user
www-data
. To prevent this privilege escalation, run the crontab aswww-data
instead.
Recommendations
- Implement measures to restrict DNS Zone Transfers to authorized IP addresses and limit Zone Transfer permissions in the DNS server configuration (BIND).
- Address the SQL injection vulnerability in
admin.cronos.htb
by implementing input validation, parameterized queries, and real-time attack detection through logging. - Correct the SQL injection vulnerability in the authentication mechanism at
admin.cronos.htb
by applying the same recommendations mentioned above. - Thoroughly validate and sanitize user input in the Net Tool v0.1 panel to prevent command injection attacks after login.
- Enhance security for database credentials storage, including encryption or hashing, and establish a regular rotation and update process.
- Prevent local privilege escalation to root by configuring the crontab to run as the user
www-data
.
Methodology
The assessment involved service enumeration, DNS enumeration, and web server enumeration. DNS Zone Transfer attacks, SQL injection, authentication bypass, and command injection vulnerabilities were identified and exploited. Post exploitation activities included the extraction of database credentials and a local privilege escalation to root scenario through an active crontab.
Color Legend
Console color legend:
Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity
Risk Classification
Independent Challenge - 10.10.10.13
export IP=10.10.10.13
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.13 | TCP: 22, 53, 80 |
DNS Enumeration
Zone Transfer
Vulnerability Explanation: Behind Security was able to execute a DNS Zone Transfer attack on 10.10.10.13 (cronos.htb), retrieving information on domain names and spreading the attack vector.
Vulnerability Fix: Restrict DNS Zone Transfers to authorized IP addresses only. Modify the DNS server configuration (BIND) to limit Zone Transfer permissions.
Severity: Elevated
Steps to Reproduce the Attack:
- Execute
dig axfr @10.10.10.13 cronos.htb
.
Web Server Enumeration
Vhost: cronos.htb
, admin.cronos.htb
admin.cronos.htb
SQL Injection
Vulnerability Explanation: Behind Security discovered a SQL injection flaw that allowed the tester to extract sensitive information from the database.
Vulnerability Fix:
- Sanitize user input: Implement input validation and parameterized queries to prevent this kind of attacks.
- Monitor and log: Set up logging to detect and respond to potential attacks in real-time.
Severity: High
Steps to Reproduce the Attack:
- Add
admin.cronos.htb
to the/etc/hosts
file to resolve the domain. - Execute
sqlmap -u http://admin.cronos.htb/ --forms --batch --risk 3 --level 5
to identify and exploit the SQL injection vulnerability.
Authentication Bypass
Vulnerability Explanation: Using a SQL injection payload, Behind Security was able to bypass the authentication mechanism at admin.cronos.htb
, logging in as 'admin' without a valid password.
Vulnerability Fix:
- Fix the SQL injection vulnerability as mentioned above.
Severity: High
Steps to Reproduce the Attack:
- Head to
admin.cronos.htb
- Supply
admin' or ''*'
as the username and any password.
Initial Access - Command Injection
Vulnerability Explanation: After logging in as admin without a valid password (see Authentication Bypass above), the remote attacker can inject OS commands through the Net Tool v0.1 panel by escaping the original command with a semicolon.
Vulnerability Fix:
- Ensure that the SQL injection vulnerabilities are patched, and user authentication is correctly implemented.
- Validate and sanitize user input thoroughly to prevent command injection attacks.
Severity: High
Steps to Reproduce the Attack:
- Log in as admin without a password (to do so, provide
admin' or ''*'
and any password athttp://admin.cronos.htb/
). - Select
ping
from the drop-down menu and supply127.0.0.1;id
or any command as you wish after the semicolon.
Post Exploitation
Database Credentials
Vulnerability Explanation: After obtaining a foothold on the machine, Behind Security was able to extract the database user credentials from the file config.php
.
Vulnerability Fix:
- Store credentials securely using encryption or hashing.
- Regularly rotate and update database credentials.
Severity: High
Steps to Reproduce the Attack:
- Execute
cat /var/www/admin/config.php
LPE to root
Vulnerability Explanation: Behind Security was able to abuse an active crontab that was configured to run as the root user every minute. The crontab executes PHP on Laravel's 'artisan' file, which is owned by the low-privileged user www-data
that we got access to previously.
Vulnerability Fix:
- Run the crontab as www-data to prevent this privilege escalation.
Severity: Extreme
Steps to Reproduce the Attack:
- Insert malicious PHP code into
/var/www/laravel/artisan
and wait until the cron job runs it to gain privileged command execution. Example:exec('chmod +s /bin/bash');
and then/bin/bash -p
.
Conclusion
We hope you have found our content on Cronos CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.