In this post, I would like to share a walkthrough of the CozyHosting Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the CozyHosting machine?

For the user flag, you will need to go through with the basic enumeration techniques, an attacker was able to expose a valid user cookie, providing access to an admin dashboard with a command injection vulnerability. Exploiting this vulnerability allowed the attacker to gain remote access to the target system. Subsequently, the attacker uncovered plaintext credentials within the web application framework, granting access to a database. This led to the extraction and cracking of hashes associated with database users.

As for the root flag, we need to take advantage of the cracked credentials to enable the attacker to impersonate a legitimate user, leveraging a sudo configuration that grants root-level permissions to the attacker.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link to support me

Academy link can be found

Information Gathering on CozyHosting Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

└──╼ $ nmap -sC -sV -oA intial 
Starting Nmap 7.93 ( ) at 2023-09-09 03:10 EDT
Nmap scan report for
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_  256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.72 seconds
└──╼ $ 

Let’s access the website interface

Nothing that we can abuse from the website interface

However, there’s nothing that looks interesting when we investigate using burpsuite

Let’s enumerate the directory with Gobuster and found a few directories that caught my attention

First, we can check on the /admin/ directory on the burpsuite which I cannot see clearly at all.

On the browser interface, we managed to find the error clearly which looks something like Spring Boot that I encountered while doing RedPanda machine

Let’s do some research on the error that we see in the browser which it show that it’s related to Spring Boot as i expected

Let’s revisit the source that i use on the RedPanda machine again and play with the spring boot. The website that i will be referring to is here

Springboot enumeration on the application

When analyzing the actuator JSON file on the website interface, i noticed there are a few links that we can investigate further.

The screenshot above shows the output on the env directory

On the mappings directory, i have some endpoints that i can use to proceed to the next stage.

I found some sessions look suspicious to me but let’s keep looking at the endpoints

If we keep scrolling down, i have found some predicate that can be used in the vulnerability

Let’s move forward on the session which leads to some session cookies and a potential username. For some clarification, the JSESSSIONID will always change from time to time and the JSESSIONID that shows in the screenshot above might be different from yours.

Let’s try to access the dashboard with the username that we found earlier and enter a random password over here.

The original JSESSIONID looks like something as shown in the screenshot above.

Therefore, let’s change the JSESSIONID that appears with the JSSESSIONID that we obtain while enumerating the actuator directory

At last, we managed to access the admin dashboard which looks promising to me at this point.

You will find the same as shown in the screenshot above when you keep scrolling on the dashboard interface.

Let’s test my theory on this by putting the hostname as with the username as admin

It looks like the output as shown in the burpsuite screenshot above.

Let’s start the Python server on our attacker’s machine

As a result, let’s try to upload an unknown file into the application and see if our python server picks anything at all.

It looks like we can upload files into the application this way.

Therefore, let’s create a file that contains our reverse shell command

Before we proceed to the next stage, let’s start our listener so that we can retrieve the reverse shell connection.

We only need to change the filename from the previous command and the application hangs which it looks promising.

We managed to upload our shell file into the application.

Finally, we managed to retrieve the reverse shell connection on our attacker’s machine

After looking into the server, i managed to find one java file within the /app/ directory

Luckily the machine has python3 and we can use it to start the python3 server on the victim’s machine.

A screen shot of a computer

Description automatically generated

At last, the file have successfully transfer into our own machine.

The screenshot above shows the command that i used for this activity

I’m too lazy to analyze the Java application so i decided to use the zipgrep (you can read more on this here) which will provide us with the content on the Java file

A black screen with green text

Description automatically generated

As a result, we can enumerate the database with the username and password found previously

Postgres Enumeration on the cozyhosting machine

The command that we can use with Postgres can be seen in the screenshot above.

From the command executed in the screenshot above, we managed to find the tables on the database.

A black background with green letters

Description automatically generated

Sadly, we cannot change to cozyhosting when we execute the use command

After do some research, Postgres didn’t execute the command use instead they are using the \c command

At last, we managed to retrieve two hashes hoping that we could crack it later using hashcat

Therefore, let’s copy-paste the hashes onto our machine.

A computer screen with green text

Description automatically generated

Before we start our cracking progress, let’s see the potential username on the machine.

The command to use to crack the hashes can be seen in the screenshot above.

Even though the second hashes will take 4 days to crack we managed to obtain the password from one of the hashes.

A black background with colorful text

Description automatically generated

We can change Josh’s access with the password that we found earlier.

However, we can also access the machine with Josh’s credential

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

A computer screen with green text

Description automatically generated

As usual, let’s execute the “sudo -l” command which might leak the binary that we can use to proceed to the next stage.

Firstly, we can look for any malicious commands that we can use to proceed at the

Luckily for us, there’s one command that we can execute in this activity. Therefore, let’s try on our victim’s machine

A black screen with green text

Description automatically generated

Finally, it works where we managed to obtain root access

We can read the root flag by typing the “cat root.txt” command