Hello guys,welcome back,Today we are going to solve one of the easiest OSCP like machine.It is from hackthebox and here is the link.So Let’s get Started.First things First ,For this machine you need to have knowledge on sqli and kernel vulnerabilities.
I’m using kali linux as my attacker machine.So let’s begin.
One of the most important stage in pentesting.Now let’s enumerate the machine.First let’s find the open ports and services that are running.
“nmap -sC -sV <IP> -vv -oN scan”
looks interesting.we have Dns port 53 is open.But i ignored it and enumerated the machine further bruteforcing the web dir’s and vuln scans using namp nse scripts but got no luck.Then i came to this dns port.So i got an idea “What if i add a domain ‘cronos.htb’ to my hosts file”
“sudo nano /etc/hosts”
and it worked….;) we have a website running..
so i’ve enumerated it by bruteforcing the dir’s.
“gobuster dir -u http://cronos.htb -w /usr/share/wordlists/dirb/big.txt -t50 -x .php,.conf,.config,.html,.js,.css”
found this one.But it is not useful.So,then i’ve decided to find the subdomains.
“wfuzz -c -u http://cronos.htb -H “Host: FUZZ.cronos.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt — hw 975”
So it gave me some hope.SO,there is an subdomain ‘admin.cronos.htb’.Add this to ur hosts file.then open it.
So we have a login page here.SO i’ve tried some sqli payloads to bypass it.and it was successful….:)
“username:admin’ or 1=1 — &password=admin’ or 1=1 — “
Now it’s time to open the burpsuite.
This is the req headers. as we can observe that there is two parameters.first is command and second one is host.so there is a possibility for command injection.So let’s try
So i sent this one.and i got this.
don’t mind shell.php i’ve uploaded it before writing this one.So we have a command injection vulnerability.so i quickly prepared my php shell and sent it with wget.
So now let’s get into the system….
Ok after going through the url “http://admin.cronos.htb/shell.php”
we got our shell
after getting the shell.let’s grab out user flag.
Now lts time to get our root flag.i’ve tried manual privesc.
So for privilege escalation.It is very easy.I ran the linpeas.immediately it showed the kernel is vulnerable.so i quickly go to exploitdb.compiled the exploit in my machine and i’ve deliveried the compiled exploit to the machine using wget and python server.So now let’s get run the exploit.
Now we’ve got the root flag. SO successfully completed ……
If you have any doubts Let me Know.