# Cronos ### port scan ![](https://i.imgur.com/wXgFo89.png) ### port 80 is open so i try to access it ### then find the default page ,which means the routing configuration is something wrong ![](https://i.imgur.com/APwqCDB.png) ### so i try to modify hosts(a file) that allows us to use domain name to access the page ![](https://i.imgur.com/DQrqSce.png) ### then we can see the right page ![](https://i.imgur.com/iypJn9k.png) ### but all the links on this page are outside this domain ,so i am trying to find another way to exploit this host ![](https://i.imgur.com/yZIsjdF.png) ### from the result of port scan we can see this host is a DNS server ### so i use the dig command to get more information ![](https://i.imgur.com/eyevEVQ.png) ### we can see that there is a domain name admin.cronos.htb perhaps it can be used ### we also need to modify hosts ### then we can access admin.cronos.htb is a login page then i try to use weak password to login but fail ### so i am trying to test do this site has SQL injection exploit or not ### i use Burp Suite to bruce force any possibility of SQL injection cheat sheet ![](https://i.imgur.com/8qyWAcI.png) ### then i use first one to login then find that this page has command injection exploit ![](https://i.imgur.com/fWPq7ys.png) ### so i try to use command injection to get reverse shell ### i try some kind of reverse shell (but useless) finally i use python to get reverse shell ### i aslo check schedule (crontab command and crontab file hint by machine name) ![](https://i.imgur.com/jBAhW6v.png) ### find a command to execute with root privileges ### this user(www-data) can modify this file(artisan.php) so change this file content to php reverse shell then get root privileges ![](https://i.imgur.com/aYoRdG4.png)