HTB – Cronos

In Cronos we get exposed to some new and some old! Some DNS enumeration followed by SQLi with a bit of OS command execution will get us on the box. Privesc we abuse a particular cronjob.

First, our can:


DNS enumeration:

First step is to resolve the IPs of Cronos, use nslookup

Any time we see DNS running on TCP, we should try for a zone transer:

Perfect! Lets add these names to our /etc/hosts file:

Next step visiting cronos.htb

Nothing much going on here so I’ll pivot over to admin.cronos.htb

After many trivial and useless attempts to crack this, I finally found a SQLi that worked:

' or 1=1-- -

Absolutely brutal but a reminder to run through the gambit before you call it quits!

Now depending on what is happening here I think we can issue some OS commands by chaining commands and if we can, reverse shell!

Even easier than that I realized I could intercept the request and place my own command!


and we got a shell!

Grab the user flag and your PrivEsc tool, I used here.

It leads us to a cron job and I notice I have write permissions to the file that’s being run.

I went into my php reverse shell toolkit and grabbed my reverse shell. Copied it onto artisan and waited:

Grab the flag and all set!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: