OSCP PREPROTİONS – HTB Cronos

Cronos machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of network scanning, 22/tcp ssh OpenSSH 7.2p2, 53/tcp domain ISC BIND, 80/tcp http Apache httpd ports are open.
Because of the http port, when we look at the relevant ip address from the browser, we see default apache. In the source code, we could not find any information from developer mode and wepanalayzer. Since there may be hidden files and directories, we performed a file directory scan with gobuster.
Gobuster scan

Gobuster scan resulted in no valuable information.
With dns port 53 open, let’s run a dns scan.

We have detected Domain and Subdomain. We wrote the information in /etc/hosts file.
Let’s log in to these subdomains
The admin.cronos.htb subdomain is attractive because the admin login screen comes up.

We tried to log in with default passwords and did not get successful results. We tried Sql injection. We were able to log in successfully.

We can run traceroute and ping commands. And we can use

We made sure that it works this way, let’s try to intervene with burpsuite and see if we can create a revershell for ourselves.
We’ve got our dll here.

In this way we obtained our user flag. But we did not access the root directory because we do not have root authorization. We provide local enumeration to obtain root authorization.
When we look at the crontab saved as scheduled tasks, we see /var/www/laravel/artisan crotnab in php language.

What draws our attention here is that the www-data user can also make changes to this file. Now we will look at what happens if we take php revershell and replace it with this crontab place.
We get the pentestmpnkey php revershell and forward it to the target machine after editing the ip and port.
We replace the php revershell we transmitted with /var/www/laravel/artisan.

This is how we got our shelter
We got our root flag here in this shelle root authorization.