Cronos — HTB Walkthrough

Cronjobs need to be handled with care……

ENUMERATION

Nmap scan for services and OS

DNS ENUMERATION

Visiting apache page we add cronos.htb to our /etc/hosts for better dig

Adding admin.cronos.htb to host file and enumerating it.Visiting website shows simple Apache page.

Visiting Admin.cronos.htb, we see a login.php page

On searching exploits for Laravel and Laracast , I found first let’s try sql injecting , if it doesn’t work we will go to Token Unserialize RCE

So captured request in burp and sent to repeater for fuzzing I see. For invalid login attempt it shows , either username or password is wrong

Reference strings for SQL injection

Username : admin’# worked

Let’s log in. We see

A nettool which allows us to either traceroute or ping. Traceroute doesn’t do anything . For ping on 8.8.8.8 we see

Great let’s fuzz with ping. Doing the following

Thus ping is vulnerable to command injection. Let’s exploit it

EXPLOITATION

Using one liner bash and listening on port 1234

Getting shell we see config.php which shows real password for admin

Going to /home/noulis we find user flag

PRIVILEGE ESCALATION

Looking for cronjobs we see

We have writable file /var/www/laravel/artisan which is running as root

So what we will do is write php script to give a reverse shell, when root will execute artisan it will spawn its shell . Using msfvenom payload :

Why ? Because we need php script not one line

You can use netcat or msfconsole at port 443

ROOT FLAG

ROOTED !!!