Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Cronos - 10.10.10.13
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Privilege escalation
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Cronos

Cronos - 10.10.10.13

Target Enumeration:

OS: Linux

IP: 10.10.10.13

User: 51d236438b333970dbba7dc3089be33b

Root: 1703b8a3c9a8dde879942c79d02fd3a0

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Vulnerability Exploited:

SQL injection authentication bypass.

Command execution on authenticated webapp

Privilege escalation

Php cron service running as root.

Exploiting the host:

Nmap

Check for dns records

Update /etc/hosts file with 10.10.10.13 cronos.htb

Visit admin.cronos.htb

Login and fuzz the login with sqli in burp intruder.

These give a 302 redirect to /welcome.php so it is vulnerable to sqli authentication bypass.

This looks like it could be vulnerable to command injection.

Add ; id after the 8.8.8.8 address.

Check we can write files to the system and look for other tools like wget nc etc to get a shell using touch test.php.

Generate a php reverse shell with msfconsole.

Download shell with wget

Execute the shell by visiting /vdk.php

Download all enumeration scripts to the system and run.

Checking the content of /etc/crontab shows a file running as root so we just need to copy our vdk shell to /var/www/laravel/artisan

Copy our php reverse shell to the dir, rename and make executable.

Ensure the php reverse shell is listening, after a brief period you should get a shell.

Collect the flags

PreviousArcticNextGrandpa

Last updated 6 years ago