CozyHosting (machine)
by k0d14k
CozyHosting it's a machine provided by HackTheBox that exposes a host provider.
Wappalizer reveals that the web application is written using Java so I looked for some Java Pentest Wordlists.
The first target is to enum something using these wordlists.
The enumeration process has provided some paths, I selected just paths that return 200 HTTP status and a response with size > 0 and the final result has been:
/actuator/env/path (Status: 200) [Size: 487]
/actuator (Status: 200) [Size: 634]
/actuator/sessions (Status: 200) [Size: 48]
/actuator/health (Status: 200) [Size: 15]
/actuator/mappings (Status: 200) [Size: 9938]
/actuator/env/home (Status: 200) [Size: 487]
/actuator/env (Status: 200) [Size: 4957]
/actuator/env/lang (Status: 200) [Size: 487]
/actuator/beans (Status: 200) [Size: 127224]
Now We have a list of endpoints to proceed in our analysis.
First of all, I see a /acturator/sessions endpoint, let's see if it contains something useful.
Here We have a session cookie and We can try to impersonate kanderson. To understand which is the cookie name We have to try a login attempt and We will discover that is simply the JSESSIONID.
Let's use ModHeader to set our JSESSIONID as the kanderson's cookie.
From the /actuator/mappings endpoint We get a list of the application's endpoints. This page provides us, overall, 3 useful paths:
- /executessh
- /admin
- /addhost
Using kanderson's cookie to call the /admin endpoint We get the administrator dashboard with this form:
If We inspect the form behavior We notice, by passing just the hostname, an error that reports the usage of the SSH command and it means that the SSH connection is established using a system call.
If We try to inject a reverse shell command in the username field We get an error that says We can't use whitespaces. But space is not the only way We can use to separate words in a bash prompt, We can also use new lines with the "\" and a tab to force bash composing the command before executing it.
First I'll show you the payload and then I'll explain it:
- ";" closes the previous command (in this case the pending ssh command)
- "`" forces bash to interpret the following string as a command
- "\%0A%09" literally means "\\n\t"
Raise a listener and send this payload in the username field to get a reverse shell:
We are now connected as the app user, the only file present in the current directory is the jar file. I will download it to find out any other command execution or something useful by decompiling the file using JADX.
Once the JAR file was decompiled I noticed that It was a SpringBoot application. Knowing the framework I read the application.properties file and I got the Postgres credentials.
Into the database I found the users table with the admin bcrypt hashed password and I cracked it using john.
Unfortunately, the credentials are correct but the admin doesn't has any permission in the /admin endpoint (WHAT), it must means that this password must be used for something else.
Taking a look to the /etc/passwd file I notice the presence of two other users:
- postgres
- josh
I tried the password for both and I confirm that is the Josh's password that has a ssh shell.
Ok, now We have all the needed to start our privilege escalation.
Privilege Escalation
Running the `sudo -l` command We notice that Josh can use ssh as root. This is a known privilege escalation vector and the exploit it's available in GTFOBins.
Ok, We are root.