In this post, I would like to share a walkthrough of the CozyHosting Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the CozyHosting machine?


For the user flag, you will need to go through with the basic enumeration techniques, an attacker was able to expose a valid user cookie, providing access to an admin dashboard with a command injection vulnerability. Exploiting this vulnerability allowed the attacker to gain remote access to the target system. Subsequently, the attacker uncovered plaintext credentials within the web application framework, granting access to a database. This led to the extraction and cracking of hashes associated with database users.


As for the root flag, we need to take advantage of the cracked credentials to enable the attacker to impersonate a legitimate user, leveraging a sudo configuration that grants root-level permissions to the attacker.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259v

Information Gathering on CozyHosting Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/CozyHosting]
└──╼ $ nmap -sC -sV 10.10.11.230 -oA intial 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-09 03:10 EDT
Nmap scan report for 10.10.11.230
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.72 seconds
┌─[darknite@parrot]─[~/Documents/htb/CozyHosting]
└──╼ $ 

Let’s access the website interface


Nothing that we can abuse from the website interface


However, there’s nothing that looks interesting when we investigate using burpsuite


Let’s enumerate the directory with Gobuster and found a few directories that caught my attention


First, we can check on the /admin/ directory on the burpsuite which I cannot see clearly at all.


On the browser interface, we managed to find the error clearly which looks something like Spring Boot that I encountered while doing RedPanda machine


Let’s do some research on the error that we see in the browser which it show that it’s related to Spring Boot as i expected


Let’s revisit the source that i use on the RedPanda machine again and play with the spring boot. The website that i will be referring to is here

Springboot enumeration on the application


When analyzing the actuator JSON file on the website interface, i noticed there are a few links that we can investigate further.


The screenshot above shows the output on the env directory


On the mappings directory, i have some endpoints that i can use to proceed to the next stage.


I found some sessions look suspicious to me but let’s keep looking at the endpoints


If we keep scrolling down, i have found some predicate that can be used in the vulnerability


Let’s move forward on the session which leads to some session cookies and a potential username. For some clarification, the JSESSSIONID will always change from time to time and the JSESSIONID that shows in the screenshot above might be different from yours.


Let’s try to access the dashboard with the username that we found earlier and enter a random password over here.


The original JSESSIONID looks like something as shown in the screenshot above.


Therefore, let’s change the JSESSIONID that appears with the JSSESSIONID that we obtain while enumerating the actuator directory


At last, we managed to access the admin dashboard which looks promising to me at this point.


You will find the same as shown in the screenshot above when you keep scrolling on the dashboard interface.


Let’s test my theory on this by putting the hostname as 127.0.0.1 with the username as admin


It looks like the output as shown in the burpsuite screenshot above.


Let’s start the Python server on our attacker’s machine


As a result, let’s try to upload an unknown file into the application and see if our python server picks anything at all.


It looks like we can upload files into the application this way.


Therefore, let’s create a file that contains our reverse shell command


Before we proceed to the next stage, let’s start our listener so that we can retrieve the reverse shell connection.


We only need to change the filename from the previous command and the application hangs which it looks promising.


We managed to upload our shell file into the application.


Finally, we managed to retrieve the reverse shell connection on our attacker’s machine


After looking into the server, i managed to find one java file within the /app/ directory


Luckily the machine has python3 and we can use it to start the python3 server on the victim’s machine.

A screen shot of a computer

Description automatically generated

At last, the file have successfully transfer into our own machine.


The screenshot above shows the command that i used for this activity


I’m too lazy to analyze the Java application so i decided to use the zipgrep (you can read more on this here) which will provide us with the content on the Java file

A black screen with green text

Description automatically generated

As a result, we can enumerate the database with the username and password found previously

Postgres Enumeration on the cozyhosting machine


The command that we can use with Postgres can be seen in the screenshot above.


From the command executed in the screenshot above, we managed to find the tables on the database.

A black background with green letters

Description automatically generated

Sadly, we cannot change to cozyhosting when we execute the use command


After do some research, Postgres didn’t execute the command use instead they are using the \c command


At last, we managed to retrieve two hashes hoping that we could crack it later using hashcat


Therefore, let’s copy-paste the hashes onto our machine.

A computer screen with green text

Description automatically generated

Before we start our cracking progress, let’s see the potential username on the machine.


The command to use to crack the hashes can be seen in the screenshot above.


Even though the second hashes will take 4 days to crack we managed to obtain the password from one of the hashes.

A black background with colorful text

Description automatically generated

We can change Josh’s access with the password that we found earlier.


However, we can also access the machine with Josh’s credential


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

A computer screen with green text

Description automatically generated

As usual, let’s execute the “sudo -l” command which might leak the binary that we can use to proceed to the next stage.


Firstly, we can look for any malicious commands that we can use to proceed at the Gtfobins.github.io


Luckily for us, there’s one command that we can execute in this activity. Therefore, let’s try on our victim’s machine

A black screen with green text

Description automatically generated

Finally, it works where we managed to obtain root access


We can read the root flag by typing the “cat root.txt” command