Cronos

# ENUMERATION

NMAP:
- 22: OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
- 53: ISC BIND 9.10.3-P4
- 80: Apache httpd 2.4.18

No, will not run this vulnerability for DoS
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750

- There's not much to go off of here...

=======================================================

# ENUMBERATION
# GOBUSTER

http://10.10.10.13:80/index.html (Status: 200) [Size: 12454]
http://10.10.10.13:80/server-status (Status: 403) [Size: 299]

=======================================================

# ENUMERATION
# NIKTO

- Interesting...
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 

=======================================================

# EXPLOIT
# CVE 2017-9798 

- Apache 2.4.18 is listed on https://vulners.com/cve/CVE-2017-9798

kali@kali:~/HTB/RETIRED/Cronos/searchsploit$ python3 42745.py -u http://10.10.10.13 -a
[ok] http://10.10.10.13: 'GET,HEAD,POST,OPTIONS'

- This confirms that we can POST

=======================================================

# ENUMERATION
# DIG - port 53

(had to use the tutorial for this)

kali@kali:~/HTB/RETIRED/Cronos/online/httpd$ dig axfr @10.10.10.13 cronos.htb                                     
                                                                                                                  
; <<>> DiG 9.16.2-Debian <<>> axfr @10.10.10.13 cronos.htb                                                        
; (1 server found)
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 72 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Sat Jul 25 02:20:59 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)

=======================================================

# EXPLOIT
# ADD TO HOSTS FILE

- Can't browse to admin.cronos.htb...
- add this to the /etc/hosts file on my kali box
- admin.cronos.htb reveals a login page

=======================================================

# EXPLOIT
# SQL INJECTION

- i am able to add '-- - after the username... SQL Injection
- I was expecting something dramatic... but I was given a command execution page
- add a semicolon to the end of the command, and it works nicely
- Send the request to BurpSute... repeat the command as much as needed

=======================================================

# EXPLOIT
# BURPSUTE

- The Repeater page allows me to execute commands... use ';whoami' to start
- now try a wget
- yep, wget allows me to put a php reverse shell on the machine
- user www-data granted access... initial foot-hold complete!

=======================================================