In this post, I would like to share a walkthrough of the CozyHosting Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the CozyHosting machine?
For the user flag, you will need to go through with the basic enumeration techniques, an attacker was able to expose a valid user cookie, providing access to an admin dashboard with a command injection vulnerability. Exploiting this vulnerability allowed the attacker to gain remote access to the target system. Subsequently, the attacker uncovered plaintext credentials within the web application framework, granting access to a database. This led to the extraction and cracking of hashes associated with database users.
As for the root flag, we need to take advantage of the cracked credentials to enable the attacker to impersonate a legitimate user, leveraging a sudo configuration that grants root-level permissions to the attacker.
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vInformation Gathering on CozyHosting Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/CozyHosting]
└──╼ $ nmap -sC -sV 10.10.11.230 -oA intial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-09 03:10 EDT
Nmap scan report for 10.10.11.230
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_ 256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.72 seconds
┌─[darknite@parrot]─[~/Documents/htb/CozyHosting]
└──╼ $
Let’s access the website interface
Nothing that we can abuse from the website interface
However, there’s nothing that looks interesting when we investigate using burpsuite
Let’s enumerate the directory with Gobuster and found a few directories that caught my attention
First, we can check on the /admin/ directory on the burpsuite which I cannot see clearly at all.
On the browser interface, we managed to find the error clearly which looks something like Spring Boot that I encountered while doing RedPanda machine
Let’s do some research on the error that we see in the browser which it show that it’s related to Spring Boot as i expected
Let’s revisit the source that i use on the RedPanda machine again and play with the spring boot. The website that i will be referring to is here
Springboot enumeration on the application
When analyzing the actuator JSON file on the website interface, i noticed there are a few links that we can investigate further.
The screenshot above shows the output on the env directory
On the mappings directory, i have some endpoints that i can use to proceed to the next stage.
I found some sessions look suspicious to me but let’s keep looking at the endpoints
If we keep scrolling down, i have found some predicate that can be used in the vulnerability
Let’s move forward on the session which leads to some session cookies and a potential username. For some clarification, the JSESSSIONID will always change from time to time and the JSESSIONID that shows in the screenshot above might be different from yours.
Let’s try to access the dashboard with the username that we found earlier and enter a random password over here.
The original JSESSIONID looks like something as shown in the screenshot above.
Therefore, let’s change the JSESSIONID that appears with the JSSESSIONID that we obtain while enumerating the actuator directory
At last, we managed to access the admin dashboard which looks promising to me at this point.
You will find the same as shown in the screenshot above when you keep scrolling on the dashboard interface.
Let’s test my theory on this by putting the hostname as 127.0.0.1 with the username as admin
It looks like the output as shown in the burpsuite screenshot above.
Let’s start the Python server on our attacker’s machine
As a result, let’s try to upload an unknown file into the application and see if our python server picks anything at all.
It looks like we can upload files into the application this way.
Therefore, let’s create a file that contains our reverse shell command
Before we proceed to the next stage, let’s start our listener so that we can retrieve the reverse shell connection.
We only need to change the filename from the previous command and the application hangs which it looks promising.
We managed to upload our shell file into the application.
Finally, we managed to retrieve the reverse shell connection on our attacker’s machine
After looking into the server, i managed to find one java file within the /app/ directory
Luckily the machine has python3 and we can use it to start the python3 server on the victim’s machine.
At last, the file have successfully transfer into our own machine.
The screenshot above shows the command that i used for this activity
I’m too lazy to analyze the Java application so i decided to use the zipgrep (you can read more on this here) which will provide us with the content on the Java file
As a result, we can enumerate the database with the username and password found previously
Postgres Enumeration on the cozyhosting machine
The command that we can use with Postgres can be seen in the screenshot above.
From the command executed in the screenshot above, we managed to find the tables on the database.
Sadly, we cannot change to cozyhosting when we execute the use command
After do some research, Postgres didn’t execute the command use instead they are using the \c command
At last, we managed to retrieve two hashes hoping that we could crack it later using hashcat
Therefore, let’s copy-paste the hashes onto our machine.
Before we start our cracking progress, let’s see the potential username on the machine.
The command to use to crack the hashes can be seen in the screenshot above.
Even though the second hashes will take 4 days to crack we managed to obtain the password from one of the hashes.
We can change Josh’s access with the password that we found earlier.
However, we can also access the machine with Josh’s credential
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, let’s execute the “sudo -l” command which might leak the binary that we can use to proceed to the next stage.
Firstly, we can look for any malicious commands that we can use to proceed at the Gtfobins.github.io
Luckily for us, there’s one command that we can execute in this activity. Therefore, let’s try on our victim’s machine
Finally, it works where we managed to obtain root access
We can read the root flag by typing the “cat root.txt” command
No responses yet