Skip to content

Hack the box – Cronos writeup without Metasploit

Hack the box Cronos is a Linux machine initial foothold was gained through SQL injection privilege escalation using PHP artisan from Laravel.

As usual let’s start with nmap scan

Open ports are 22, 53 and 80. Port 80 showed only a default page. It’s not normal in htb machines to see port 53 let’s dig in

So we added ns1.cronos.htb and cronos.htb in to /etc/hosts

Website loaded which is actually a Laravel template. Ran gobuster but didn’t show up anything at all. Did dig on it and found some extra ones. added admin.cronos.htb, www.cronos.htb

added those to /etc/hosts.

Tried some login attempts using default credentials but failed. Tried basic SQL injection. Username: admin’ or ‘1’ = ‘1 and for the password keep it blank.

As soon as we are in found a page which we can do traceroute and ping

Started to experiment with it. I did send a one liner reverse shell which didn’t work, I don’t know the reason. Finally did it with a python one liner

Got the reverse shell and the user flag

Downloaded LinEnum to the box

Found a cronjob that looked interesting

Checked if I can write to the file. Renamed the original artisan file after that downloaded php revershell renamed it to artisan and gave executive rights using chmod +x artisan.

After a minute got a root shell.

You can always follow me on twitter to get the latest updates https://twitter.com/far3y

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: