CozyHosting - Hack The Box
Enumeration
Nmap
Initial nmap scan revealed HTTP and SSH ports were open.
Web Enumeration
The web request was forwarded to cozyhosting.htb, so I added it to /etc/hosts file.
Then I applied standard directory brute forcing and found an error page.
Searching this page revealed that this was a spring boot application.
Then I applied directory brute forcing with the spring boot specific wordlists and found a valid endpoint named actuator.
This endpoint included some URLs.
The actuator/sessions path contained some valid session cookies.
Then I passed the session cookie and logged in as the kanderson user.
Exploit
Command Injection
The wabsite included executessh functionality. At first I tried some command injection methods and it did not work. Later I understood that it was avoiding whitespaces. So I encoded a tab (\t) and it worked. The ${IFS} also works to avoid whitespaces.
Then I created a reverse shell payload and got a reverse shell.
After the initial connection, I was in app directory which included a JAR file. I transfered that file to my machine, and unzipped it.
The file was spring boot application’s JAR file. Later, I did some research and found that application.properties file includes some configurations related to the web app. So I checked that file and found a database and its password.
Then using ‘psql’ command with the necessary parameteres, I got an interactive PostgreSQL shell. Checking the tables revealed the users table.
And the users table included hashed passwords of users.
Then I cracked admin hash with hashcat and rockyou.txt wordlist.
Then used this password to login with SSH and got the user flag.
Privilege Escalation
The user could run SSH with sudo privileges. The GTFOBins included sudo ssh privilege escalation. I simply applied the necessary steps and got the root.
Pwned
The machine was pwned.