Ping
ping 10.10.10.13
Nmap Default Scan
nmap 10.10.10.13 -oN dnmap
Nmap Script and Service Scan
nmap 10.10.10.13 -sV -sC -A -oN snmap
Nmap All port Scan
nmap -p- --min-rate 10000 10.10.10.13 -oN anmap
Port 80
http://10.10.10.13
Will dig Further
dig axfr cronos.htb @10.10.10.13
got additional dns info, will add it to hosts file
http://admin.cronos.htb
used simple sql injection
It worked…!
We can ping as well
Tried my ip
Will get the burp request
looks like we can execute commands
Will try that
yes it worked, we can see the python in the machine
Now will get reverse shel
Got Reverse Shell and upgraded my shell
rlwrap nc -nvlp 443
python3 -c 'import pty; pty.spawn("/bin/bash")'
Got user.txt
Will Move to Privilege Escalation…!
We can see db creds in config file.
After through Enumeration on the mysql, there is nothing useful
Will check is there a cronjob
cat /etc/crontab
Will check our permissions on the file running by root
ls -la /var/www/laravel/artisan
We have full accesss, so we can modify the php code into out reverse shell Program
I have used this php reverse shell code: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php
And set up the listener
rlwrap nc -nvlp 443
Got it…!
Root.txt
Done with Editorial…:)