Today I explore Cronos from HTB; an OSCP like box featuring some vhost enumeration, SQL login bypass techniques and command injection. Once on the box we use a Laravel script for privilege escalation. I started this box off by directly visiting the IP in a web browser as the majority of boxes on HTB have the main point via web. Arriving at the page I see an Apache configuration page. Immediately I begin running a vhost scan:

Found admin.cronos.htb with a VHOST search.

I edit my hosts file and go to the admin URL. When I arrive I am presented with a login screen. I run a gobuster scan looking for additional pages/files and trying a few SQL login bypass techniques. One works and I am able to access the panel.

Login page presented.

Bypass the login page with a comment.

Also found through gobuster you can run commands on Welcome without needing to be logged in.

I see a Net Tool page running and doing some baseline commands. I use Burp to catch the request and try a few commands to see if I have command execution:

Direct command injection to the host?

Finding out where/who I am and which python/nc binaries are available.

Seeing I can send commands I use a reverse shell one-liner to get a shell to the machine. PayloadAllTheThings has a great resource for this.

On the box I run LinPEAS which shows me a possible escalation point:

LinPEAS showing artisan being a pivot point.

I navigated over to the artisan file mentioned and reviewed the script. I added my PHP reverse shell one-liner (also mentioned in the same article noted above) and saved the file. I started up a local nc session and waited. The shell spawned a moment later and I grabbed root.

Altering artisan file to catch the shell.

Rooted cronos with Proof.