In Cronos we get exposed to some new and some old! Some DNS enumeration followed by SQLi with a bit of OS command execution will get us on the box. Privesc we abuse a particular cronjob.
First, our can:
First step is to resolve the IPs of Cronos, use
Any time we see DNS running on TCP, we should try for a zone transer:
Perfect! Lets add these names to our
Next step visiting
Nothing much going on here so I’ll pivot over to
After many trivial and useless attempts to crack this, I finally found a SQLi that worked:
' or 1=1-- -
Absolutely brutal but a reminder to run through the gambit before you call it quits!
Now depending on what is happening here I think we can issue some OS commands by chaining commands and if we can, reverse shell!
Even easier than that I realized I could intercept the request and place my own command!
and we got a shell!
Grab the user flag and your PrivEsc tool, I used LinEnum.sh here.
It leads us to a cron job and I notice I have write permissions to the file that’s being run.
I went into my php reverse shell toolkit and grabbed my reverse shell. Copied it onto artisan and waited:
Grab the flag and all set!