Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Cronos
Cronos - 10.10.10.13
Target Enumeration:
OS: Linux
IP: 10.10.10.13
User: 51d236438b333970dbba7dc3089be33b
Root: 1703b8a3c9a8dde879942c79d02fd3a0
Ports / Services / Software Versions Running
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Vulnerability Exploited:
SQL injection authentication bypass.
Command execution on authenticated webapp
Privilege escalation
Php cron service running as root.
Exploiting the host:
Nmap
​
​
Check for dns records
Update /etc/hosts file with 10.10.10.13 cronos.htb
Visit admin.cronos.htb
Login and fuzz the login with sqli in burp intruder.
These give a 302 redirect to /welcome.php so it is vulnerable to sqli authentication bypass.
This looks like it could be vulnerable to command injection.
Add ; id after the 8.8.8.8 address.
Check we can write files to the system and look for other tools like wget nc etc to get a shell using touch test.php.
Generate a php reverse shell with msfconsole.
Download shell with wget
Execute the shell by visiting /vdk.php
Download all enumeration scripts to the system and run.
Checking the content of /etc/crontab shows a file running as root so we just need to copy our vdk shell to /var/www/laravel/artisan
Copy our php reverse shell to the dir, rename and make executable.
Ensure the php reverse shell is listening, after a brief period you should get a shell.
Collect the flags
Hack The Box last updated - 2019 - Previous
Arctic
Next - Hack The Box last updated - 2019
Grandpa
Last modified
3yr ago
Copy link
Contents
Cronos - 10.10.10.13
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege escalation
Exploiting the host: