All port

Deep scan + redirect to cozyhosting.htb

Found a login page, default creds did not work

Inspecting the source leads to a template name and a bootstrap version

Next steps:
After finding out the underlying framework was spring boot and seclists had a specific wordlists for spring boot. Found these directories

The sessions directory held a cookie I could replace with my own and get past the login screen


Towards the bottom of the page there is an option to add a host. I determined after some output in the URL that this was executing ssh on the remote server.

What I needed to do was escape the ssh command to run my own. I transferred the POST request to Burp and tested several methods. What ended up working was piping the ssh command into curly brackets |{echo,base64 shell}|{base64,-d}|bash. I inserted that last line after the username in the burp request and ended up getting a shell


Post Foothold
We got a foothold but don’t have user. In the app folder there is a .jar file, which is essentially a .zip file and can be treated as such

I setup a python server on the target then download and extract the file on my attacker machine. I get several interesting files, one of which is the applications.properties file. I open it.

That’s a database password! Unfortunately I cannot access this database from the app user shell I got, so I run chisel to get access to the local ports then get access to postgresql using the psql tool.




From here we take a look at the databases and see one for cozyhosting

The users table reveals a hashed password for a user admin

We echo this hash into a file then use John to crack it, it’s bcrypt according to john. Using the rockyou.txt wordlists we make short work of the password


That password leads to a ssh login. Previously when I got the initial foothold I found a user, josh, in the home directory.

The next part was probably the easiest. Manual enumeration shows josh can run ssh as sudo.

A quick gtfobins search shows we can leverage this for root

Drumroll….

pwned :)