Today I explore Cronos from HTB; an OSCP like box featuring some
SQL login bypass techniques and command injection. Once on the box we use a
Laravel script for privilege escalation. I started this box off by directly visiting the IP in a web browser as the majority of boxes on HTB have the main point via web. Arriving at the page I see an Apache configuration page. Immediately I begin running a
admin.cronos.htb with a
I edit my hosts file and go to the admin
URL. When I arrive I am presented with a login screen. I run a
gobuster scan looking for additional pages/files and trying a few
SQL login bypass techniques. One works and I am able to access the panel.
Bypass the login page with a comment.
Also found through
gobuster you can run commands on Welcome without needing to be logged in.
I see a Net Tool page running and doing some baseline commands. I use Burp to catch the request and try a few commands to see if I have command execution:
Direct command injection to the host?
Finding out where/who I am and which python/nc binaries are available.
Seeing I can send commands I use a reverse shell one-liner to get a shell to the machine. PayloadAllTheThings has a great resource for this.
On the box I run LinPEAS which shows me a possible escalation point:
LinPEAS showing artisan being a pivot point.
I navigated over to the artisan file mentioned and reviewed the script. I added my
PHP reverse shell one-liner (also mentioned in the same article noted above) and saved the file. I started up a local
nc session and waited. The shell spawned a moment later and I grabbed root.
Altering artisan file to catch the shell.
Rooted cronos with Proof.