Cronos|HTB

Hello guys,welcome back,Today we are going to solve one of the easiest OSCP like machine.It is from hackthebox and here is the link.So Let’s get Started.First things First ,For this machine you need to have knowledge on sqli and kernel vulnerabilities.

I’m using kali linux as my attacker machine.So let’s begin.

Enumeration:

One of the most important stage in pentesting.Now let’s enumerate the machine.First let’s find the open ports and services that are running.

“nmap -sC -sV <IP> -vv -oN scan”

looks interesting.we have Dns port 53 is open.But i ignored it and enumerated the machine further bruteforcing the web dir’s and vuln scans using namp nse scripts but got no luck.Then i came to this dns port.So i got an idea “What if i add a domain ‘cronos.htb’ to my hosts file”

“sudo nano /etc/hosts”

and it worked….;) we have a website running..

so i’ve enumerated it by bruteforcing the dir’s.

“gobuster dir -u http://cronos.htb -w /usr/share/wordlists/dirb/big.txt -t50 -x .php,.conf,.config,.html,.js,.css”

found this one.But it is not useful.So,then i’ve decided to find the subdomains.

“wfuzz -c -u http://cronos.htb -H “Host: FUZZ.cronos.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt — hw 975”

So it gave me some hope.SO,there is an subdomain ‘admin.cronos.htb’.Add this to ur hosts file.then open it.

Gaining Access:

So we have a login page here.SO i’ve tried some sqli payloads to bypass it.and it was successful….:)

“username:admin’ or 1=1 — &password=admin’ or 1=1 — “

Now it’s time to open the burpsuite.

This is the req headers. as we can observe that there is two parameters.first is command and second one is host.so there is a possibility for command injection.So let’s try

So i sent this one.and i got this.

don’t mind shell.php i’ve uploaded it before writing this one.So we have a command injection vulnerability.so i quickly prepared my php shell and sent it with wget.

So now let’s get into the system….

Ok after going through the url “http://admin.cronos.htb/shell.php”

we got our shell

after getting the shell.let’s grab out user flag.

Now lts time to get our root flag.i’ve tried manual privesc.

Privilege Escalation:

So for privilege escalation.It is very easy.I ran the linpeas.immediately it showed the kernel is vulnerable.so i quickly go to exploitdb.compiled the exploit in my machine and i’ve deliveried the compiled exploit to the machine using wget and python server.So now let’s get run the exploit.

Now we’ve got the root flag. SO successfully completed ……

If you have any doubts Let me Know.

HAPPY HACKING…….:)

PEACE…;)

--

--

--

Ethical Hacker,Dream chaser.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Best Internet Protection Software For Mac

Please vote PrivacySwap get listed at Coinsniper.

{UPDATE} Häst Tävlings Mästerskap 2017 Hack Free Resources Generator

#Cryptocoach Day 230

Ccna 200–301 download Can the Last_Ack state be used in an attack?

An Introduction To Cloud Cartography

{UPDATE} Frankenstein: Master of Death (Lite) Hack Free Resources Generator

Using Machine Learning to Reduce False Positives While Combating Attacks: Part 1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sampath Pendurthi

Sampath Pendurthi

Ethical Hacker,Dream chaser.

More from Medium

Vulnhub Series →DC-1

“Previse — Hack_The_Box”

Hack The Box — Conceal

Tryhackme NerdHerd Room