Cronos CTF Writeup

Cronos CTF Writeup

This is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Cronos CTF from HackTheBox.

cronos ctf icon

Cronos CTF

Cronos CTF focuses mainly on different vectors for enumeration and also emphasizes the risks associated with adding world-writable files to the root crontab.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

Introduction

This Pentest report documents the security assessment conducted on the IP address 10.10.10.13. The assessment aimed to identify vulnerabilities that could be exploited to compromise the security of the target infrastructure.

Objective

The objective of this security assessment was to identify and exploit vulnerabilities in the Cronos CTF's infrastructure to evaluate existing security measures and provide recommendations to mitigate the identified risks.

Requirements

  • Identify vulnerabilities in the web application hosted at IP address 10.10.10.13.
  • Exploit critical and moderate vulnerabilities to assess potential exposure to attacks.
  • Evaluate the possibility of unauthorized access to systems and data.

High-Level Summary of Found Vulnerabilities

DNS Enumeration

  1. Zone Transfer (Moderate): A DNS Zone Transfer attack on 10.10.10.13 (cronos.htb) allowed the retrieval of domain name information, potentially spreading the attack vector. To mitigate this, restrict DNS Zone Transfers to authorized IP addresses and modify the DNS server configuration (BIND) to limit Zone Transfer permissions.

Web Server Enumeration

  1. admin.cronos.htb - SQL Injection (High): A SQL injection vulnerability in admin.cronos.htb enabled the extraction of sensitive information from the database. Remediation involves implementing input validation and parameterized queries to prevent such attacks and setting up logging to detect and respond to potential attacks in real-time.

  2. admin.cronos.htb - Authentication Bypass (High): By using a SQL injection payload, the authentication mechanism at admin.cronos.htb could be bypassed, allowing login as 'admin' without a valid password. To fix this, address the SQL injection vulnerability mentioned above.

  3. Initial Access - Command Injection (High): After logging in as admin without a valid password (using the Authentication Bypass above), a remote attacker can inject OS commands through the Net Tool v0.1 panel. Mitigation includes patching SQL injection vulnerabilities and implementing correct user authentication. Thoroughly validate and sanitize user input to prevent command injection attacks.

Post Exploitation

  1. Database Credentials: Database user credentials were extracted from the file config.php after obtaining a foothold on the machine. To improve security, store credentials securely using encryption or hashing, and regularly rotate and update database credentials.

  2. LPE to root (Local Privilege Escalation to root): An active crontab was abused to run as the root user every minute. This crontab executed PHP on Laravel's 'artisan' file, owned by the low-privileged user www-data. To prevent this privilege escalation, run the crontab as www-data instead.

Recommendations

  1. Implement measures to restrict DNS Zone Transfers to authorized IP addresses and limit Zone Transfer permissions in the DNS server configuration (BIND).
  2. Address the SQL injection vulnerability in admin.cronos.htb by implementing input validation, parameterized queries, and real-time attack detection through logging.
  3. Correct the SQL injection vulnerability in the authentication mechanism at admin.cronos.htb by applying the same recommendations mentioned above.
  4. Thoroughly validate and sanitize user input in the Net Tool v0.1 panel to prevent command injection attacks after login.
  5. Enhance security for database credentials storage, including encryption or hashing, and establish a regular rotation and update process.
  6. Prevent local privilege escalation to root by configuring the crontab to run as the user www-data.

Methodology

The assessment involved service enumeration, DNS enumeration, and web server enumeration. DNS Zone Transfer attacks, SQL injection, authentication bypass, and command injection vulnerabilities were identified and exploited. Post exploitation activities included the extraction of database credentials and a local privilege escalation to root scenario through an active crontab.


Color Legend

Console color legend:

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Risk Classification

Risk Classification from http://www.pentest-standard.org

Independent Challenge - 10.10.10.13

export IP=10.10.10.13

Service Enumeration

IP AddressPorts Open
10.10.10.13TCP: 22, 53, 80
nmap scan

DNS Enumeration

Zone Transfer

Vulnerability Explanation: Behind Security was able to execute a DNS Zone Transfer attack on 10.10.10.13 (cronos.htb), retrieving information on domain names and spreading the attack vector.

Vulnerability Fix: Restrict DNS Zone Transfers to authorized IP addresses only. Modify the DNS server configuration (BIND) to limit Zone Transfer permissions.

Severity: Elevated

Steps to Reproduce the Attack:

  1. Execute dig axfr @10.10.10.13 cronos.htb.
DNS zone transfer

Web Server Enumeration

Vhost: cronos.htb, admin.cronos.htb

admin.cronos.htb

SQL Injection

Vulnerability Explanation: Behind Security discovered a SQL injection flaw that allowed the tester to extract sensitive information from the database.

Vulnerability Fix:

  1. Sanitize user input: Implement input validation and parameterized queries to prevent this kind of attacks.
  2. Monitor and log: Set up logging to detect and respond to potential attacks in real-time.

Severity: High

Steps to Reproduce the Attack:

  1. Add admin.cronos.htb to the /etc/hosts file to resolve the domain.
  2. Execute sqlmap -u http://admin.cronos.htb/ --forms --batch --risk 3 --level 5 to identify and exploit the SQL injection vulnerability.

Authentication Bypass

Vulnerability Explanation: Using a SQL injection payload, Behind Security was able to bypass the authentication mechanism at admin.cronos.htb, logging in as 'admin' without a valid password.

Vulnerability Fix:

  1. Fix the SQL injection vulnerability as mentioned above.

Severity: High

Steps to Reproduce the Attack:

  1. Head to admin.cronos.htb
  2. Supply admin' or ''*' as the username and any password.
Successful authentication bypass

Initial Access - Command Injection

Vulnerability Explanation: After logging in as admin without a valid password (see Authentication Bypass above), the remote attacker can inject OS commands through the Net Tool v0.1 panel by escaping the original command with a semicolon.

Vulnerability Fix:

  1. Ensure that the SQL injection vulnerabilities are patched, and user authentication is correctly implemented.
  2. Validate and sanitize user input thoroughly to prevent command injection attacks.

Severity: High

Steps to Reproduce the Attack:

  1. Log in as admin without a password (to do so, provide admin' or ''*' and any password at http://admin.cronos.htb/).
  2. Select ping from the drop-down menu and supply 127.0.0.1;id or any command as you wish after the semicolon.
Successful command injection

Post Exploitation

Database Credentials

Vulnerability Explanation: After obtaining a foothold on the machine, Behind Security was able to extract the database user credentials from the file config.php.

Vulnerability Fix:

  1. Store credentials securely using encryption or hashing.
  2. Regularly rotate and update database credentials.

Severity: High

Steps to Reproduce the Attack:

  1. Execute cat /var/www/admin/config.php
Database password REDACTED

LPE to root

Vulnerability Explanation: Behind Security was able to abuse an active crontab that was configured to run as the root user every minute. The crontab executes PHP on Laravel's 'artisan' file, which is owned by the low-privileged user www-data that we got access to previously.

Vulnerability Fix:

  1. Run the crontab as www-data to prevent this privilege escalation.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Insert malicious PHP code into /var/www/laravel/artisan and wait until the cron job runs it to gain privileged command execution. Example: exec('chmod +s /bin/bash'); and then /bin/bash -p.
Vulnerable crontab
Proof of Exploitation: REDACTED user.txt and root.txt

Conclusion

We hope you have found our content on Cronos CTF useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top