Hack the box Cronos is a Linux machine initial foothold was gained through SQL injection privilege escalation using PHP artisan from Laravel.
As usual let’s start with nmap scan
Open ports are 22, 53 and 80. Port 80 showed only a default page. It’s not normal in htb machines to see port 53 let’s dig in
So we added ns1.cronos.htb and cronos.htb in to /etc/hosts
Website loaded which is actually a Laravel template. Ran gobuster but didn’t show up anything at all. Did dig on it and found some extra ones. added admin.cronos.htb, www.cronos.htb
added those to /etc/hosts.
Tried some login attempts using default credentials but failed. Tried basic SQL injection. Username: admin’ or ‘1’ = ‘1 and for the password keep it blank.
As soon as we are in found a page which we can do traceroute and ping
Started to experiment with it. I did send a one liner reverse shell which didn’t work, I don’t know the reason. Finally did it with a python one liner
Got the reverse shell and the user flag
Downloaded LinEnum to the box
Found a cronjob that looked interesting
Checked if I can write to the file. Renamed the original artisan file after that downloaded php revershell renamed it to artisan and gave executive rights using chmod +x artisan.
After a minute got a root shell.
You can always follow me on twitter to get the latest updates https://twitter.com/far3y
Be First to Comment