Today we’re going to solve another CTF machine “Cronos”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, HTTP, ISC Bind
  • IP Address: 10.10.10.13
  • Difficulty: Medium

Weakness

  • SQL Injection
  • Cron running as root

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Dig

After spending some time on enumerating directories we found nothing. So i thought to do some digging and thought to dig.

We found admin.cronos.htb and after adding that into /etc/hosts we found an administrator login page.

Login

We can try Brute Forcing with different wordlists and usernames but it didn’t work. Then we gave a shot to SQLi and tried SQLMap.

Inside sqlmap.req we have our POST method.

It appears that Username field is vulnerable to SQL injection.

OR manually we can try different methods for more info you can real OWASP SQL injection wiki.

Try admin’– – as username and use random password.

Command Injection

Since we have a command injection we can simply bypass it by placing ‘;’ in the end.

Example 6: https://www.owasp.org/index.php/Command_Injection

Let’s get a reverse shell.

Since we had Perl installed so we have to use Perl reverse shell.

And we got shell.

Privilege Escalation

Since we have a user now we’re going after root. Now we have to escalate privileges to become root. Let’s run some privilege escalation scripts to get some basic information.

Normally I use LinEnum.sh script which collect some important information. After doing some research and i found that inside crontab we’ve a command schedule which runs a file as root.

Since we have a command running inside crontab as root we can spawn php reverse shell easily.