Cronos — HackTheBox Walkthrough

Cronos — OSCP-like machine
  • Finding subdomains via /etc/hosts
  • SQL injection to bypass a login panel
  • RCE from a common attack vector
  • Cron job exploitation to get root status

Initial Recon

Let’s begin with our usual nmap scan and see what we’re dealing with.

nmap scan reveals 3 open ports
/etc/hosts configuration file

Foothold

admin login panel
after login page

Reverse Shell as www-data

You can experiment with the ping function by setting a tcpdump on your machine, entering your IP above and hitting execute to see confirm this actually works. Let’s dive straight into the RCE payload and get this reverse shell:

reverse shell !
;

Escalating to Root

The reason why I loved this box was because of the many things that were involved.

cat /etc/crontab
Inspection of permissions
  • /tmp as www-data,
  • downloaded a php-reverse-shell.php, <taken from pentestmonkey>
  • mv php-reverse-shell.php /var/www/laravel/artisan (our shell is now named artisan and placed exactly where the root cron calls it from)
  • I set a nc -lvnp, waited a minute or two and got the root shell!
Root :D

I hope you all enjoyed my take on this box and understood everything I went over

Thank you for reading

--

--

Penetration Tester ~ OSCP CPSA CRT~

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store