Cronos - 10.10.10.13
Ports / Services / Software versions running
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
SQL injection authentication bypass.
Command execution on authenticated webapp
Php cron service running as root.
Exploiting the host:
Check for dns records
Update /etc/hosts file with 10.10.10.13 cronos.htb
Login and fuzz the login with sqli in burp intruder.
These give a 302 redirect to /welcome.php so it is vulnerable to sqli authentication bypass.
This looks like it could be vulnerable to command injection.
Add ; id after the 220.127.116.11 address.
Check we can write files to the system and look for other tools like wget nc etc to get a shell using touch test.php.
Generate a php reverse shell with msfconsole.
Download shell with wget
Execute the shell by visiting /vdk.php
Download all enumeration scripts to the system and run.
Checking the content of /etc/crontab shows a file running as root so we just need to copy our vdk shell to /var/www/laravel/artisan
Copy our php reverse shell to the dir, rename and make executable.
Ensure the php reverse shell is listening, after a brief period you should get a shell.
Collect the flags