InfoSec LAB

Cronos_Web

Created: 3 min read

Web

Nmap discovered a web server on the target port 80 I was also able to get some domain information out through the enumeration earlier

I will go through them all

ns1.cronos.htb

Webroot of ns1.cronos.htb It’s the default page of Apache2 installation

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://ns1.cronos.htb/FUZZ -ic -e .txt,.php,.html 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://ns1.cronos.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
.html                   [status: 403, Size: 294, Words: 22, Lines: 12, Duration: 31ms]
.php                    [status: 403, Size: 293, Words: 22, Lines: 12, Duration: 2953ms]
index.html              [status: 200, Size: 11439, Words: 3534, Lines: 380, Duration: 2978ms]
                        [status: 200, Size: 11439, Words: 3534, Lines: 380, Duration: 3173ms]
                        [status: 200, Size: 11439, Words: 3534, Lines: 380, Duration: 29ms]
.html                   [status: 403, Size: 294, Words: 22, Lines: 12, Duration: 30ms]
.php                    [status: 403, Size: 293, Words: 22, Lines: 12, Duration: 30ms]
server-status           [status: 403, Size: 302, Words: 22, Lines: 12, Duration: 27ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1332 req/sec :: Duration: [0:11:33] :: Errors: 0 ::

It’s empty

cronos.htb

Webroot of cronos.htb

Wappalyzer identified the technologies involved It’s built with Laravel

All those 5 external hyperlinks points to Laravel related services

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://cronos.htb/FUZZ -ic -e .txt,.php,.html  
________________________________________________
 
 :: Method           : GET
 :: URL              : http://cronos.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.php               [status: 200, Size: 2319, Words: 990, Lines: 86, Duration: 1576ms]
css                     [status: 301, Size: 306, Words: 20, Lines: 10, Duration: 28ms]
js                      [status: 301, Size: 305, Words: 20, Lines: 10, Duration: 28ms]
robots.txt              [status: 200, Size: 24, Words: 2, Lines: 3, Duration: 32ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1368 req/sec :: Duration: [0:11:31] :: Errors: 0 ::

ffuf discovered /robots.txt

/robots.txt

/robots.txt is empty

admin.cronos.htb

Webroot of admin.cronos.htb It’s a login page and appears to be the administrative panel

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://admin.cronos.htb/FUZZ -ic -e .txt,.php,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://admin.cronos.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.php               [Status: 200, Size: 1547, Words: 525, Lines: 57, Duration: 41ms]
welcome.php             [Status: 302, Size: 439, Words: 55, Lines: 21, Duration: 34ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
config.php              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 35ms]
session.php             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 35ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1369 req/sec :: Duration: [0:11:32] :: Errors: 0 ::

ffuf found some interesting files

SQLi Authentication Bypass

I was not able to open up any of those files found.

So I started various injections

I was able to bypass the authentication with SQLi Then I got re-directed to /welcome.php

OS Command Injection

welcome.php has traceroute and ping as dropdown options

Using the defaulttraceroute option, it appears to send out a POST request with 2 sets of data

What if I change the value of the host parameter

Code Execution confirm.

Moving on to exploitation phase

Interactive Graph View

Backlinks