From nmap, there are ssh, dns, and http service opened.

Local Picture

This is the web page.

Local Picture

With zone transfer, I got other domains to access.

Local Picture

There is a login page in admin.cronos.htb.

Local Picture

Run sqlmap to see if there is SQL Injection. And yes, there really is.

Local Picture

Local Picture

I dumped the table users, and get username admin and its md5hash password.

Local Picture

Local Picture

I login with SQL Injection.

Local Picture

We can run traceroute or ping from the web page with user provided parameters.

Local Picture

I tried command injection, and it works.

Local Picture

Local Picture

I can give myself a reverse shell as www-data.

Local Picture

Local Picture

With pspy64, I found that root runs artisan every minute.

Local Picture

It is a php file. I add a command to give me a reverse shell at the end of the file.

Local Picture

Local Picture

And get a reverse shell as root.

Local Picture