All port

Description of image

Deep scan + redirect to cozyhosting.htb

Description of image

Found a login page, default creds did not work

Description of image

Inspecting the source leads to a template name and a bootstrap version

Description of image

Next steps:

After finding out the underlying framework was spring boot and seclists had a specific wordlists for spring boot. Found these directories

Description of image

The sessions directory held a cookie I could replace with my own and get past the login screen

Description of image

Description of image

Towards the bottom of the page there is an option to add a host. I determined after some output in the URL that this was executing ssh on the remote server.

Description of image

What I needed to do was escape the ssh command to run my own. I transferred the POST request to Burp and tested several methods. What ended up working was piping the ssh command into curly brackets |{echo,base64 shell}|{base64,-d}|bash. I inserted that last line after the username in the burp request and ended up getting a shell

Description of image

Description of image

Post Foothold

We got a foothold but don’t have user. In the app folder there is a .jar file, which is essentially a .zip file and can be treated as such

Description of image

I setup a python server on the target then download and extract the file on my attacker machine. I get several interesting files, one of which is the applications.properties file. I open it.

Description of image

That’s a database password! Unfortunately I cannot access this database from the app user shell I got, so I run chisel to get access to the local ports then get access to postgresql using the psql tool.

Description of image

Description of image

Description of image

Description of image

From here we take a look at the databases and see one for cozyhosting

Description of image

The users table reveals a hashed password for a user admin

Description of image

We echo this hash into a file then use John to crack it, it’s bcrypt according to john. Using the rockyou.txt wordlists we make short work of the password

Description of image

Description of image

That password leads to a ssh login. Previously when I got the initial foothold I found a user, josh, in the home directory.

Description of image

The next part was probably the easiest. Manual enumeration shows josh can run ssh as sudo.

Description of image

A quick gtfobins search shows we can leverage this for root

Description of image

Drumroll….

Description of image

pwned :)