hackthebox cronos walkthrough

Starting with masscan

port 53 is open which is for DNS. Lets see if we can transfer zones

We discovered cronos.htb and admin.cronos.htb domains. Insert following in /etc/hosts file

Browse both domains

hackthebox – cronos – laravel

…. and admin domain

hackthebox – cronos – admin

Use a few common techniques to enter/bypass login like admin/admin, guest/guest, etc and finally tried with SQLi which worked.

Use following in username and you can put anything as pass

… and we are in

hackthebox – cronos – net tool

Looks like someone made a net tool for traceroute and ping. We can try to inject command as following

This worked and we were able to list files.

hackthebox – cronos – command injection

Lets get a shell for us.

Insert following instead of ls

We get the shell

Upgrade the shell

Lets get around

We see few password and the user is noulis

Playing around we see a cronjob which is run by root user every minute.

Looking at the permission, we can write the file directly

Replace artisan with /usr/share/webshells/php/php-reverse-shell.php in kali, listen for shell and we will get the shell soon.

Leave a Reply

Your email address will not be published. Required fields are marked *